[Snort-sigs] [Snort-devel] Rule Profiling on small pcap

Joel Esler jesler at ...435...
Tue Nov 13 11:13:35 EST 2012


On Nov 12, 2012, at 6:04 PM, Mike Cox <mike.cox52 at ...2420...> wrote:

> How do you do perf test on small pcaps?  (I sense a comment from Joel
> coming saying testing small pcaps isn't useful....)

It's useful, I'm not saying that.  But it's only useful to a point.

It's useful for tuning that rule on that pcap.  But your tuning to that rule may not reflect the real world.  In the VRT we tune as best we can on the given pcap.  But then we test the rules in the real world and further tweak from there.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121113/3c4699f9/attachment.html>


More information about the Snort-sigs mailing list