Well I've figured out how I'm going to impliment a performance fix for my new version of tcpreplay. Hopefully have that ready sometime next week.
I've also spent about 20 hours looking a Snort signatures this week. The web signatures (mostly) to be exact. Honestly, the more I read them, the more I've come to realize a simple fact:
99.9% of Snort signatures are pure crap.
Out of the 700 signatures I've read, they will either generate false positives like mad (Snort rarely looks for the attack, generally just the CGI/ASP/whatever that is vulnerable. So even if it is a perfectly vaild request, you'll get an alarm.)
And the few times they do look for the attack, either their test is horribly broken or it's so easy to avoid (don't put the cgi parameter next to the ?) that the signature will only pick up script kiddies and morons.
Honestly, I've been running snort for over a year now, and always thought it was a bit overzealous in reporting attacks, and now I know why. IMHO, the only reason to keep snort on my disk is because in sniffer mode, it has a nicer output than tcpdump. Oh well...