[Snort-users] Rule performance profiling question

waldo kitty wkitty42 at ...14940...
Wed Sep 15 21:04:52 EDT 2010


On 9/15/2010 18:36, Joel Esler wrote:
> Both are SO rules.

ahhh... ok so they are GID 3 which i'm not using at this time due to kernel 
changes in my environment... hopefully you guys will still be releasing SO rules 
that are compatible with the kernel that my environment is "stuck" using for 
security reasons...

>
> J
>
> On Wed, Sep 15, 2010 at 6:16 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 9/15/2010 16:37, Andy Berryman wrote:
>      > Num SID GID Rev Checks Matches Alerts Microsecs Avg/Check Avg/Match
>     Avg/Nonmatch
>      > === === === === ====== ======= ====== ========= ========= =========
>     ============
>      >
>      > 1 7019 3 5 234171143 0 0 80911378 0.3 0.0 0.3
>      >
>     [...]
>      >
>      > 76 14643 3 3 82610 0 0 4949758 59.9 0.0 59.9
>
>     what i find interesting is that i do not have either of those rules in my rules
>     files... they simply do not exist AFAICT... however, i'm also not a paying
>     subscriber so it may take up to another 30 days before i see them...
>
>     i do find it interesting that 7019 is enabled in your set up but, as another
>     wrote, is specific to a japanese p2p network that you (or i) are likely to have
>     on their network... i'm curious if that rule comes enabled by default or if you
>     specifically enabled it for performance testing...





More information about the Snort-users mailing list