[Oisf-users] IP reputation lists and performance
Michał Purzyński
michalpurzynski1 at gmail.com
Mon Nov 3 23:01:28 UTC 2014
Hi, I'm looking for a best way to use IP reputation lists.
There's a 2 y.o. blog post about the performance impact that using IP
only rules has. Basically it forces the IDS to go into matching engine
with every packet, something that's easily understood as having poor
performance.
Is this the case with IP-only rules and Suricata? My guess is yes, I'd
like some developers to chime in. In other words, unless you know,
think before answering ;)
http://vrt-blog.snort.org/2012/04/snort-performance-and-ip-only-rules.html
Now, there's a Suricata IP reputation engine.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationConfig
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules
Is it a right way to use intel IP data? How does the performance
(CPU/MEM) look like?
More information about the Oisf-users
mailing list