Snort mailing list archives

Re: A general query regarding snort.

From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 27 Oct 2001 23:18:49 -0400

When snort is run in IDS mode which is the most usual and fast way to run ?
I am running as:

snort -b -A fast -c snort.conf

I want snort to run as fast as possible.


That's pretty much the fastest way to run it.

What is the average number of rules that users loads on snort ? As the number of
rules is increased, load on snort increases ,right ?

Any information is welcome.


I usually run 800-1200 rules in a typical Snort configuration, the more
rules you run the (potentially) slower Snort will run.  This isn't a
100% thing because of the way Snort optimizes its rules load at run
time, if you load 1000 finger rules and there's never any finger traffic
on your network, then there will be little additional CPU load.

     -Marty

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A general query regarding snort. ashley thomas (Oct 27)
- Re: A general query regarding snort. Martin Roesch (Oct 27)
- <Possible follow-ups>
- RE: A general query regarding snort. Robert D. Hughes (Oct 28)