[Snort-users] Certin ET rulesets and 100 percent usage.

Matt Jonkman jonkman at ...4024...
Thu May 7 12:15:50 EDT 2009


Straight IP matching is something Snort doesn't do well. Unfortunately.
So this isn't that unexpected.

I'd only run those rulesets where you can afford the cycles. or run a
second snort for these alone and turn off everything in it's config to
streamline some.

Matt

jlay at ...13475... wrote:
> So here's something interesting.  Enabling ANY of the below rulesets
> results in snort using 100% CPU:
> 
> emerging-botcc.rules
> emerging-compromised.rules
> emerging-drop.rules
> emerging-dshield.rules
> emerging-rbn.rules
> emerging-tor.rules
> 
> Without snort uses around 49%.  Using 2.8.4.1 with about 700K average
> traffic.  Any thoughts?  Thanks.
> 
> James
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image 
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list