[Snort-users] Suppress versus #Rule for performance.

Joel Esler jesler at ...1935...
Thu May 20 17:21:03 EDT 2010


I start with one of the VRT base policies (security, connectivity, or balanced) then I modify according to what's on the network.

If you have a Sourcefire setup, RNA does this for you.  (Forgive the plug)

J

On May 20, 2010, at 5:15 PM, Jefferson, Shawn wrote:

> Hi,
>  
> There are lots of rules for systems that we don’t run, and I’ve thought about disabling them to improve performance, however this is a daunting job as it seems I have to go into every rules file (actually oinkmaster or pulled pork conf) and disable them.  How are other people doing this, or are you just not doing it at all?
>  
> Thanks,
> Shawn
>  
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Thursday, May 20, 2010 2:04 PM
> To: Bill Pickens
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Suppress versus #Rule for performance.
>  
> On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
> 
> 
> Hello Everyone,
> After Snort has loaded....
>  
> Is there a difference in Snort performance between suppressing a rule or "#" commenting the rule out?
>  
>  
>  
> Commenting out a rule turns the rule off, which means that content does not need to be memorized, therefore -- faster.
>  
> Suppressing a rule just turns off the alert, the rule is still being ran.
>  
> --
> Joel Esler
>  
>  
>  
>  
> 
> 
>  

--
Joel Esler







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100520/2fff64f6/attachment.html>


More information about the Snort-users mailing list