[Snort-users] Snort CPU consumptions

Balasubramaniam Natarajan bala150985 at ...11827...
Wed Jan 8 22:56:58 EST 2014


On Thu, Jan 9, 2014 at 6:56 AM, waldo kitty <wkitty42 at ...14940...> wrote:

>
> so one answer to tuning this rule would be to
>
>    1. include a content match
>    2. include a flow direction
>
> but looking at that PCRE, i don't see where it is any more helpful than a
> simply
> "any any -> any any" type rule :?
>
>
Thanks for the advise I will keep them in mind, I have disabled those rule
since my snort would never gets to see traffic on those ports due to
firewall :-)

I am actually planning to do away with all those rules where the port is
not allowed by my firewall in the ingress and create just one rule which
just look for "SYN-ACK" flags on those exotic ports should my firewall
fail.  Any pointer if this is a good idea ?  I know that UDP should also be
addressed.

I can fore see response coming in saying snort is not made for this.  I
just hope to be wrong on this one too.

-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140109/7b974342/attachment.html>


More information about the Snort-users mailing list