Re: Performance and rule tuning

[Joel Esler <eslerj () gmail com>]

On Dec 3, 2008, at 2:57 PM, Jefferson, Shawn wrote:

> Speaking of the stats though... I noticed that with each increase in  
> the performance of my snort sensor, I'm recording more MBit/second.   
> Now it's up to around 150 Mb/s.  Is this number an accurate measure  
> of what's on the wire, or does it depend somewhat on the performance  
> of your sensor?

The number you are getting out of the perfmonitor preprocessor is the  
amount of traffic *successfully* analyzed.  If you are dropping 0  
packets at your feed device (tap/switch), and Snort is reporting 0  
packet loss, then I'd say you are getting all of it.

> One more question about rule tuning:
>
> I am getting some false positives from the ftp pre-processor.  How  
> do I suppress these without disabling the pre-processor altogether?

Threshold and Suppression commands.  Take a look at the  
README.threshold in the doc/ directory of your Snort tarball, also  
take a look at the threshold.conf file in the etc/ directory of your  
Snort tarball.  You will see many examples on how to configure  
Threshold and Suppression, in order to tune your system.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users