Snort performance

[SN ORT <snort_on_acid () yahoo com>]

Looking for some performance tips, and maybe I'm just
overlooking something simple. Here's what I have and
what I've done:

-I use a pass.rules file that I put all of my false
positives. Some of these are real specific, such as
"pass any > $http_servers $http_ports ...etc ;content:
"?open "

-I use this pass.rules file because I assume that it
would be a performance boost and putting pass rules in
each rule file would be a waste since those files get
updated everynight with a cron job, overwriting the
pass rules.

-The pass.rules file is the first rule file processed.
This file has grown to 148 lines.

-I've disabled tcpopt decoder. Don't know if this does
any good anyways..simply because I choose to remain
ignorant.

-I've set my $home_net and $http_servers to specific
class-c ranges, and set my $external_net to equal 
!home_net

What else can I do? I'm using now a 500mhz with 256MB
and I still get a steady 25% cpu usage. Also I can't
seem to be able to add anymore pass rules, namely more
http-specific rules. TIA!

Cheese!

Marc

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users