[Snort-users] Performance and rule tuning
eslerj at ...11827...
Wed Dec 3 16:34:28 EST 2008
On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:
> Speaking of the stats though... I noticed that with each increase in
> the performance of my snort sensor, I'm recording more MBit/second.
> Now it's up to around 150 Mb/s. Is this number an accurate measure
> of what's on the wire, or does it depend somewhat on the performance
> of your sensor?
The number you are getting out of the perfmonitor preprocessor is the
amount of traffic *successfully* analyzed. If you are dropping 0
packets at your feed device (tap/switch), and Snort is reporting 0
packet loss, then I'd say you are getting all of it.
> One more question about rule tuning:
> I am getting some false positives from the ftp pre-processor. How
> do I suppress these without disabling the pre-processor altogether?
Threshold and Suppression commands. Take a look at the
README.threshold in the doc/ directory of your Snort tarball, also
take a look at the threshold.conf file in the etc/ directory of your
Snort tarball. You will see many examples on how to configure
Threshold and Suppression, in order to tune your system.
More information about the Snort-users