Threshold.conf best practices

[Jon Price <JonP () insync-socal com>]

> We are running a few snort boxes that are monitoring a few thousand hosts. I've been tuning my snort instance by 
> suppressing / rate limiting alerts based off time/ src and dest. So far so good....
>
> What I'd like to ask is; Are there any best practices regarding how many suppression rules or lines in the 
> threshold.conf there should be. At some point one would think to just disable the rule. 
>
> For example: ET POLICY Dropbox DNS Lookup; we suppress this for about 200 hosts (each their own line in 
> threshold.conf) but alert on any others. Same exceptions go for 20-30 other rules and that gives me a 2000+ line 
> threshold.conf. No issues detected, but maybe my snort instance is struggling but I don't see it.
>
> Thanks for your time. Hopefully I didn't sound too dumb on my first list post.
>  
> -jp

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!