Re: Rule Profiling on small pcap

[Joel Esler <jesler () sourcefire com>]

On Nov 12, 2012, at 6:04 PM, Mike Cox <mike.cox52 () gmail com> wrote:

> How do you do perf test on small pcaps?  (I sense a comment from Joel
> coming saying testing small pcaps isn't useful....)

It's useful, I'm not saying that.  But it's only useful to a point.

It's useful for tuning that rule on that pcap.  But your tuning to that rule may not reflect the real world.  In the 
VRT we tune as best we can on the given pcap.  But then we test the rules in the real world and further tweak from 
there.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!