[Snort-users] Suppress versus #Rule for performance.

Ray Caparros arcy24 at ...11827...
Thu May 20 17:33:46 EDT 2010


We used IDS Policy Manager in past from Activeworx seems pretty decent.

http://www.activeworx.org/Downloads/tabid/54/Default.aspx

-Ray


On Thu, May 20, 2010 at 5:23 PM, JJ Cummings <cummingsj at ...11827...> wrote:
> Another approach might be to enable only what you need.  Using pulledpork
> you can enable everything for MSXX-XXXX as an example.  So compile a list of
> all of the MSXX-XXXXs from the year's that you want and put those in
> enablesid for PP.. .just as a thought....
> JJC
>
> On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn
> <Shawn.Jefferson at ...14448...> wrote:
>>
>> Hi,
>>
>>
>>
>> There are lots of rules for systems that we don’t run, and I’ve thought
>> about disabling them to improve performance, however this is a daunting job
>> as it seems I have to go into every rules file (actually oinkmaster or
>> pulled pork conf) and disable them.  How are other people doing this, or are
>> you just not doing it at all?
>>
>>
>>
>> Thanks,
>>
>> Shawn
>>
>>
>>
>> ________________________________
>>
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Thursday, May 20, 2010 2:04 PM
>> To: Bill Pickens
>> Cc: Snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Suppress versus #Rule for performance.
>>
>>
>>
>> On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
>>
>> Hello Everyone,
>>
>> After Snort has loaded....
>>
>>
>>
>> Is there a difference in Snort performance between suppressing a rule or
>> "#" commenting the rule out?
>>
>>
>>
>>
>>
>>
>>
>> Commenting out a rule turns the rule off, which means that content does
>> not need to be memorized, therefore -- faster.
>>
>>
>>
>> Suppressing a rule just turns off the alert, the rule is still being ran.
>>
>>
>>
>> --
>>
>> Joel Esler
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list