[Snort-users] Snort performance

SN ORT snort_on_acid at ...131...
Mon Feb 2 06:46:01 EST 2004


Looking for some performance tips, and maybe I'm just
overlooking something simple. Here's what I have and
what I've done:

-I use a pass.rules file that I put all of my false
positives. Some of these are real specific, such as
"pass any > $http_servers $http_ports ...etc ;content:
"?open "

-I use this pass.rules file because I assume that it
would be a performance boost and putting pass rules in
each rule file would be a waste since those files get
updated everynight with a cron job, overwriting the
pass rules.

-The pass.rules file is the first rule file processed.
This file has grown to 148 lines.

-I've disabled tcpopt decoder. Don't know if this does
any good anyways..simply because I choose to remain
ignorant.

-I've set my $home_net and $http_servers to specific
class-c ranges, and set my $external_net to equal 
!home_net

What else can I do? I'm using now a 500mhz with 256MB
and I still get a steady 25% cpu usage. Also I can't
seem to be able to add anymore pass rules, namely more
http-specific rules. TIA!

Cheese!

Marc

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-users mailing list