Snort Performance issues

["Marc Quibell" <mquibell () fbfs com>]

I don't know why I can't post from my yahoo account. Could someone explain that
to me? Do we have to subscribe or what?

Looking for some performance tips, and maybe I'm just
overlooking something simple. Here's what I have and
what I've done:

-I use a pass.rules file that I put all of my false
positives. Some of these are real specific, such as
"pass any > $http_servers $http_ports ...etc ;content:
"?open "

-I use this pass.rules file because I assume that it
would be a performance boost and putting pass rules in
each rule file would be a waste since those files get
updated everynight with a cron job, overwriting the
pass rules.

-The pass.rules file is the first rule file processed.
This file has grown to 148 lines.

-I've disabled tcpopt decoder. Don't know if this does
any good anyways..simply because I choose to remain
ignorant.

-I've set my $home_net and $http_servers to specific
class-c ranges, and set my $external_net to equal
!home_net

What else can I do? I'm using now a 500mhz with 256MB
and I still get a steady 25% cpu usage. Also I can't
seem to be able to add anymore pass rules, namely more
http-specific rules. TIA!

Cheese!

Marc




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users