[Snort-users] Suppress versus #Rule for performance.

JJ Cummings cummingsj at ...11827...
Thu May 20 17:23:26 EDT 2010


Another approach might be to enable only what you need.  Using pulledpork
you can enable everything for MSXX-XXXX as an example.  So compile a list of
all of the MSXX-XXXXs from the year's that you want and put those in
enablesid for PP.. .just as a thought....

JJC

On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  Hi,
>
>
>
> There are lots of rules for systems that we don’t run, and I’ve thought
> about disabling them to improve performance, however this is a daunting job
> as it seems I have to go into every rules file (actually oinkmaster or
> pulled pork conf) and disable them.  How are other people doing this, or are
> you just not doing it at all?
>
>
>
> Thanks,
>
> Shawn
>
>
>  ------------------------------
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Thursday, May 20, 2010 2:04 PM
> *To:* Bill Pickens
> *Cc:* Snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Suppress versus #Rule for performance.
>
>
>
> On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
>
>
>
>  Hello Everyone,
>
> After Snort has loaded....
>
>
>
> Is there a difference in Snort performance between suppressing a rule or
> "#" commenting the rule out?
>
>
>
>
>
>
>
> Commenting out a rule turns the rule off, which means that content does not
> need to be memorized, therefore -- faster.
>
>
>
> Suppressing a rule just turns off the alert, the rule is still being ran.
>
>
>
> --
>
> Joel Esler
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100520/efc666e2/attachment.html>


More information about the Snort-users mailing list