Snort mailing list archives

Re: CPU usage and bleeding-compromised.rules

From: Matt Jonkman <jonkman () bleedingthreats net>
Date: Thu, 30 Aug 2007 09:28:52 +1000

Ya, thats a huge ruleset, and is having in some cases more of an impact
on performance than expected. Don't run it if your boxes are on the edge
of load.

That said though, I'm going to work to pair down the number of IPs in
those lists, go for more just the biggest offenders in each category...

Matt

James Lay wrote:

For what it's worth...

Using the new bleeding rulesset compromised rules makes my snort cpu usage
go from around 2% to a minimum constant of around 26%.  As I look at the
ruleset I can see why though..almost a 2 meg text file..yikes!

James



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

CPU usage and bleeding-compromised.rules James Lay (Aug 29)
- Re: CPU usage and bleeding-compromised.rules Matt Jonkman (Aug 29)