Snort mailing list archives
Re: threshold.conf and performance on snort
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 6 Jul 2010 16:28:17 -0400
Js, Thresholds don't do much to degrade performance, and usually improve performance by limiting output. However, turning off rules (if you are doing any complete suppressions) is more efficient than threshold or suppression. Sent from my iPhone On Jul 6, 2010, at 3:15 PM, JS <jspudz () yahoo com> wrote:
All, I currently have been tuning my snort configuration to remove/limit the amount of alerts I am receiving. To do this I have been updating my threshold.conf to limit or suppress (only alerts I know are not valid) alerts. The majority of my threshold.conf configuration is doing "limits" so that I do not get 100's of duplicate messages for a single event. My current setup is using snort. 2.8.6 running on RHEL with barnyard logging to a mysql db backend server which we view via BASE. My question is how much overhead (if any) does utilizing the threshold.conf create for my snort sensor? If by using threshold.conf I am creating alot of overhead, is there another preferred method to tune what is logged/alerted to my db? I am running this in daemon mode and I was not sure of a way to check for dropped packets or snort performance. Any help/suggestions is appreciated. -Joe ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- threshold.conf and performance on snort JS (Jul 06)
- Re: threshold.conf and performance on snort Jefferson, Shawn (Jul 06)
- Re: threshold.conf and performance on snort JS (Jul 07)
- Re: threshold.conf and performance on snort Joel Esler (Jul 06)
- Re: threshold.conf and performance on snort JS (Jul 07)
- Re: threshold.conf and performance on snort Jefferson, Shawn (Jul 06)