[Snort-users] Performance and rule tuning

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Dec 2 12:36:31 EST 2008


I have a couple of questions about performance and rule tuning.


I'm seeing quite a bit of dropped packets on one of my sensors.  Traffic is about 30-60 Mb/s.  From the reading I've done, it seems like the first thing is to make sure your variables are set in snort.conf, and probably the next is to move to mmaped pcap.  I've attempted to do both of these, however, I was wondering if snort is actually using the mmapped pcap or not. Is there any way to tell?

I did the following:
- apt-get remove libpcap-dev
- built the mmapped pcap
- rebuilt snort
- put PCAP_FRAMES=32768 in my script file that starts snort

There aren't many "how-to" articles out there for doing this, and I hope I did everything right.

Rule Tuning:

Is the optimal way of tuning out false positives using suppress rules in threshold.conf ?  I am using oinkmaster to download new rules each day, so I'm assuming that commenting out rules won't work.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081202/c1973582/attachment.html>

More information about the Snort-users mailing list