[Snort-users] Fine tuning Snort

waldo kitty wkitty42 at ...14940...
Fri Oct 8 00:23:18 EDT 2010


On 10/7/2010 14:02, James Lay wrote:
> Kevin and Waldo, you gents are treasures…I will get to work and report my
> results…thank you much!

something else to thing about concerning rules that you would just totally 
suppress in threshold.conf... if they are completely suppressed then you might 
as well comment them out of the rules set so they do not consume any memory and 
snort won't waste any time loading them just to be ignoring them... but i guess 
this also depends on your tools and management systems... some may use only 
threshold to "disable" rules where others may actually comment them in the rules 
sets files... personally, i think the threshold file is best to suppress certain 
rules for certain IPs... total suppression is the same as disabled so... ;)




More information about the Snort-users mailing list