[Snort-users] Fine tuning Snort
wkitty42 at ...14940...
Fri Oct 8 00:23:18 EDT 2010
On 10/7/2010 14:02, James Lay wrote:
> Kevin and Waldo, you gents are treasures…I will get to work and report my
> results…thank you much!
something else to thing about concerning rules that you would just totally
suppress in threshold.conf... if they are completely suppressed then you might
as well comment them out of the rules set so they do not consume any memory and
snort won't waste any time loading them just to be ignoring them... but i guess
this also depends on your tools and management systems... some may use only
threshold to "disable" rules where others may actually comment them in the rules
sets files... personally, i think the threshold file is best to suppress certain
rules for certain IPs... total suppression is the same as disabled so... ;)
More information about the Snort-users