Performance and rule tuning

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi,

I have a couple of questions about performance and rule tuning.

Performance:

I'm seeing quite a bit of dropped packets on one of my sensors.  Traffic is about 30-60 Mb/s.  From the reading I've 
done, it seems like the first thing is to make sure your variables are set in snort.conf, and probably the next is to 
move to mmaped pcap.  I've attempted to do both of these, however, I was wondering if snort is actually using the 
mmapped pcap or not. Is there any way to tell?

I did the following:
- apt-get remove libpcap-dev
- built the mmapped pcap
- rebuilt snort
- put PCAP_FRAMES=32768 in my script file that starts snort

There aren't many "how-to" articles out there for doing this, and I hope I did everything right.

Rule Tuning:

Is the optimal way of tuning out false positives using suppress rules in threshold.conf ?  I am using oinkmaster to 
download new rules each day, so I'm assuming that commenting out rules won't work.

Thanks!
Shawn

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users