Re: [Snort-users] Certin ET rulesets and 100 percent usage.

From: Matt Jonkman <jonkman_at_nospam>
Date: Thu May 07 2009 - 16:15:50 GMT
To: jlay@slave-tothe-box.net

Straight IP matching is something Snort doesn't do well. Unfortunately. So this isn't that unexpected.

I'd only run those rulesets where you can afford the cycles. or run a second snort for these alone and turn off everything in it's config to streamline some.

Matt

jlay@slave-tothe-box.net wrote:
> So here's something interesting. Enabling ANY of the below rulesets
> results in snort using 100% CPU:
>
> emerging-botcc.rules
> emerging-compromised.rules
> emerging-drop.rules
> emerging-dshield.rules
> emerging-rbn.rules
> emerging-tor.rules
>
> Without snort uses around 49%. Using 2.8.4.1 with about 700K average
> traffic. Any thoughts? Thanks.
>
> James
>
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Richard Bejtlich: "[Snort-users] snort-3.0.0b3 on FreeBSD 7.2 UUID library fail"
Previous message: jlay_at_nospam: "[Snort-users] Certin ET rulesets and 100 percent usage."
In reply to: jlay_at_nospam: "[Snort-users] Certin ET rulesets and 100 percent usage."
Next in thread: Martin Roesch: "Re: [Snort-users] Certin ET rulesets and 100 percent usage."
Reply: Martin Roesch: "Re: [Snort-users] Certin ET rulesets and 100 percent usage."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]