[Emerging-Sigs] Snort, IP-Only Rules, Performance

Nathan nathan at packetmail.net
Fri Dec 7 09:12:50 HAST 2012


On 12/07/2012 11:49 AM, JJ Cummings wrote:
> The IP rep preproc works perfectly well passively also.

Thanks, I did some smart BPF; since all the rules are either udp or flags:S; I
think '(tcp[13] & 2 != 0 or udp)' makes a smart BPF... reduced load by 10%

Cheers,
Nathan


More information about the Emerging-sigs mailing list