Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suppress versus #Rule for performance.

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 20 May 2010 15:15:32 -0600
Hi,

There are lots of rules for systems that we don't run, and I've thought about disabling them to improve performance, 
however this is a daunting job as it seems I have to go into every rules file (actually oinkmaster or pulled pork conf) 
and disable them.  How are other people doing this, or are you just not doing it at all?

Thanks,
Shawn

________________________________
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Thursday, May 20, 2010 2:04 PM
To: Bill Pickens
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Suppress versus #Rule for performance.

On May 20, 2010, at 4:55 PM, Bill Pickens wrote:


Hello Everyone,
After Snort has loaded....

Is there a difference in Snort performance between suppressing a rule or "#" commenting the rule out?



Commenting out a rule turns the rule off, which means that content does not need to be memorized, therefore -- faster.

Suppressing a rule just turns off the alert, the rule is still being ran.

--
Joel Esler








------------------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: