rules vs. suppress

["Lee Clemens" <snort () leeclemens net>]

I just wrote a set of rules to watch for traffic with invalid IP addresses
(in private network space).

To jump over my own smaller network (/26) it took about 21 rules (including
1 each for 172.16/12 and 192.168/16)

But my question is this: Would it have been better to simply write SUPPRESS
rules and specify my network in track by_src and track by_dst, or to keep
these many rules that include every private network except my own.

My question has more to do with what is more CPU intensive or
more likely to cause dropped packets, etc... (having a lot of packets alert
and then get suppressed, or a lot of rules that aren't triggered very
often).

Thanks :)




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users