[Snort-users] rules vs. suppress

Jeremy Hewlett jh at ...1935...
Wed Mar 23 13:52:57 EST 2005


On Mon, Mar 21, Lee Clemens wrote:
> 
> But my question is this: Would it have been better to simply write SUPPRESS
> rules and specify my network in track by_src and track by_dst, or to keep
> these many rules that include every private network except my own.

By adding these 21 rules, you're increasing the inspection time. Each
packet that comes in will be evaluated sequentially against these
rules. Suppression is a better choice, it's a simpler execution path,
and you're not adding any additional rules.






More information about the Snort-users mailing list