[Snort-users] Performance and rule tuning

Joel Esler eslerj at ...11827...
Wed Dec 3 16:34:28 EST 2008


On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:

> Speaking of the stats though... I noticed that with each increase in  
> the performance of my snort sensor, I'm recording more MBit/second.   
> Now it's up to around 150 Mb/s.  Is this number an accurate measure  
> of what's on the wire, or does it depend somewhat on the performance  
> of your sensor?

The number you are getting out of the perfmonitor preprocessor is the  
amount of traffic *successfully* analyzed.  If you are dropping 0  
packets at your feed device (tap/switch), and Snort is reporting 0  
packet loss, then I'd say you are getting all of it.

> One more question about rule tuning:
>
> I am getting some false positives from the ftp pre-processor.  How  
> do I suppress these without disabling the pre-processor altogether?

Threshold and Suppression commands.  Take a look at the  
README.threshold in the doc/ directory of your Snort tarball, also  
take a look at the threshold.conf file in the etc/ directory of your  
Snort tarball.  You will see many examples on how to configure  
Threshold and Suppression, in order to tune your system.




More information about the Snort-users mailing list