[Emerging-Sigs] Snort, IP-Only Rules, Performance

waldo kitty wkitty42 at windstream.net
Sat Dec 8 09:17:23 HAST 2012


On 12/7/2012 12:08, Nathan wrote:
> Forgive me for being out of the loop with regard to this topic but what
> options/improvements have been made with regard to "IP only" rules with Snort.
> I am running Snort 2.9.4 DAQ 2.0.0 and the IP only rules such as
> emerging-tor.rules are performance degrading even with Flags:S.

i don't know what one might check for but in recent snort list traffic, it was 
pointed out that checking for content actually speeds things up... kinda makes 
me wonder if there's some content or !content that could be added to the rules...



More information about the Emerging-sigs mailing list