Snort mailing list archives
Re: Suppress versus #Rule for performance.
From: JJ Cummings <cummingsj () gmail com>
Date: Thu, 20 May 2010 15:23:26 -0600
Another approach might be to enable only what you need. Using pulledpork you can enable everything for MSXX-XXXX as an example. So compile a list of all of the MSXX-XXXXs from the year's that you want and put those in enablesid for PP.. .just as a thought.... JJC On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
Hi, There are lots of rules for systems that we don’t run, and I’ve thought about disabling them to improve performance, however this is a daunting job as it seems I have to go into every rules file (actually oinkmaster or pulled pork conf) and disable them. How are other people doing this, or are you just not doing it at all? Thanks, Shawn ------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Thursday, May 20, 2010 2:04 PM *To:* Bill Pickens *Cc:* Snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Suppress versus #Rule for performance. On May 20, 2010, at 4:55 PM, Bill Pickens wrote: Hello Everyone, After Snort has loaded.... Is there a difference in Snort performance between suppressing a rule or "#" commenting the rule out? Commenting out a rule turns the rule off, which means that content does not need to be memorized, therefore -- faster. Suppressing a rule just turns off the alert, the rule is still being ran. -- Joel Esler ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppress versus #Rule for performance. Bill Pickens (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)
- Re: Suppress versus #Rule for performance. Jefferson, Shawn (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)
- Re: Suppress versus #Rule for performance. JJ Cummings (May 20)
- Re: Suppress versus #Rule for performance. Ray Caparros (May 20)
- Re: Suppress versus #Rule for performance. Jason Wallace (May 20)
- Re: Suppress versus #Rule for performance. JJC (May 28)
- Re: Suppress versus #Rule for performance. Joel Esler (May 28)
- Re: Suppress versus #Rule for performance. Jefferson, Shawn (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)