[Snort-users] A general query regarding snort.

Martin Roesch roesch at ...1935...
Sat Oct 27 20:16:02 EDT 2001

> When snort is run in IDS mode which is the most usual and fast way to run ?
> I am running as:
> snort -b -A fast -c snort.conf
> I want snort to run as fast as possible.

That's pretty much the fastest way to run it.

> What is the average number of rules that users loads on snort ? As the number of
> rules is increased, load on snort increases ,right ?
> Any information is welcome.

I usually run 800-1200 rules in a typical Snort configuration, the more
rules you run the (potentially) slower Snort will run.  This isn't a
100% thing because of the way Snort optimizes its rules load at run
time, if you load 1000 finger rules and there's never any finger traffic
on your network, then there will be little additional CPU load.


Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list