snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Certin ET rulesets and 100 percen

Re: [Snort-users] Certin ET rulesets and 100 percent usage.

From: Martin Roesch <roesch_at_nospam>
Date: Thu May 07 2009 - 22:38:46 GMT
To: Matt Jonkman <jonkman@jonkmans.com>


Yeah, you're hitting the rule chains iteratively and that's just not going to perform. If you want to filter large sets of IP addresses that would be more properly implemented as a preprocessor with dedicated functionality.

Marty

On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman@jonkmans.com> wrote:
> Straight IP matching is something Snort doesn't do well. Unfortunately.
> So this isn't that unexpected.
>
> I'd only run those rulesets where you can afford the cycles. or run a
> second snort for these alone and turn off everything in it's config to
> streamline some.
>
> Matt
>
> jlay@slave-tothe-box.net wrote:
>> So here's something interesting. Enabling ANY of the below rulesets
>> results in snort using 100% CPU:
>>
>> emerging-botcc.rules
>> emerging-compromised.rules
>> emerging-drop.rules
>> emerging-dshield.rules
>> emerging-rbn.rules
>> emerging-tor.rules
>>
>> Without snort uses around 49%. Using 2.8.4.1 with about 700K average
>> traffic. Any thoughts? Thanks.
>>
>> James
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
>> production scanning environment may not be a perfect world - but thanks to
>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
>> Series Scanner you'll get full speed at 300 dpi even with all image
>> processing features enabled. http://p.sf.net/sfu/kodak-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users