[Snort-users] rules vs. suppress

Lee Clemens snort at ...13080...
Mon Mar 21 14:19:20 EST 2005

I just wrote a set of rules to watch for traffic with invalid IP addresses
(in private network space).

To jump over my own smaller network (/26) it took about 21 rules (including
1 each for 172.16/12 and 192.168/16)

But my question is this: Would it have been better to simply write SUPPRESS
rules and specify my network in track by_src and track by_dst, or to keep
these many rules that include every private network except my own.

My question has more to do with what is more CPU intensive or
more likely to cause dropped packets, etc... (having a lot of packets alert
and then get suppressed, or a lot of rules that aren't triggered very

Thanks :)

More information about the Snort-users mailing list