threshold.conf and performance on snort

[JS <jspudz () yahoo com>]

All,

I currently have been tuning my snort configuration to remove/limit the amount 
of alerts I am receiving. To do this I have been updating my threshold.conf to 
limit or suppress (only alerts I know are not valid) alerts. The majority of my 
threshold.conf configuration is doing "limits" so that I do not get 100's of 
duplicate messages for a single event.

My current setup is using snort. 2.8.6 running on RHEL with barnyard logging to 
a mysql db backend server which we view via BASE. My question is  how much 
overhead (if any) does utilizing the threshold.conf create for my snort sensor? 
If by using threshold.conf I am creating alot of overhead, is there another 
preferred method to tune what is logged/alerted to my db?

I am running this in daemon mode and I was not sure of a way to check for 
dropped packets or snort performance. Any help/suggestions is appreciated.

-Joe



      

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users