Hosting Provided By

Re: [Snort-users] CPU usage and bleeding-compromised.rules

From: Matt Jonkman <jonkman(at)bleedingthreats.net>
Date: Wed Aug 29 2007 - 19:28:52 EDT

Ya, thats a huge ruleset, and is having in some cases more of an impact on performance than expected. Don't run it if your boxes are on the edge of load.

That said though, I'm going to work to pair down the number of IPs in those lists, go for more just the biggest offenders in each category...

Matt

James Lay wrote:
> For what it's worth...
>
> Using the new bleeding rulesset compromised rules makes my snort cpu usage
> go from around 2% to a minimum constant of around 26%. As I look at the
> ruleset I can see why though..almost a 2 meg text file..yikes!
>
> James
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------

PGP: 
http://www.bleedingthreats.com/mattjonkman.asc



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  
http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Received on Wed Aug 29 19:27:15 2007

This message: [ Message body ]
Next message: Jeff Dell: "Re: [Snort-users] Snort 2.8 Beta Now Available"
Previous message: Snort Releases: "[Snort-users] Snort 2.8 Beta Now Available"
In reply to: James Lay: "[Snort-users] CPU usage and bleeding-compromised.rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Oct 08 2007 - 18:07:03 EDT