Snort mailing list archives
Re: CPU usage and bleeding-compromised.rules
From: Matt Jonkman <jonkman () bleedingthreats net>
Date: Thu, 30 Aug 2007 09:28:52 +1000
Ya, thats a huge ruleset, and is having in some cases more of an impact on performance than expected. Don't run it if your boxes are on the edge of load. That said though, I'm going to work to pair down the number of IPs in those lists, go for more just the biggest offenders in each category... Matt James Lay wrote:
For what it's worth... Using the new bleeding rulesset compromised rules makes my snort cpu usage go from around 2% to a minimum constant of around 26%. As I look at the ruleset I can see why though..almost a 2 meg text file..yikes! James ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CPU usage and bleeding-compromised.rules James Lay (Aug 29)
- Re: CPU usage and bleeding-compromised.rules Matt Jonkman (Aug 29)