[Snort-sigs] ignoring lots of hosts
emechler at ...1653...
Wed Dec 10 09:25:12 EST 2003
:: I'm not sure how the efficiency is on BPF filters versus pass rules. If
:: I have to ignore a large number of hosts (~200-ish), some of which are
:: hosts plus port combinations, some of which are just hosts, is it better
:: to use BPF filters on the command line, or pass rules?
A BPF filter will drop the packet lower in the stack than will a pass rule.
In general, they're really efficient, and definitely more-so than having
the packet get processed by Snort. However, I can't speak as to how the
system will respond with ~200 of them. Shooting in the dark here, but
perhaps there's another way to describe these connections such that you can
trim the number of rules down?
Cheers - Erick
More information about the Snort-sigs