snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Certin ET rulesets and 100 percen

Re: [Snort-users] Certin ET rulesets and 100 percent usage.

From: Randal T. Rioux <randy_at_nospam>
Date: Fri May 08 2009 - 01:39:04 GMT
To: "Snort" <snort-users@lists.sourceforge.net>


Forgive me if I'm wrong, but isn't using Snort to implement an IP blocklist sub-optimal? Isn't this a better task for your firewall?

I just think an IDS should stick to what it does best.

Randy

On Thu, May 7, 2009 6:38 pm, Martin Roesch wrote:
> Yeah, you're hitting the rule chains iteratively and that's just not
> going to perform. If you want to filter large sets of IP addresses that
> would be more properly implemented as a preprocessor with dedicated
> functionality.
>
> Marty
>
> On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman@jonkmans.com>
> wrote:
>> Straight IP matching is something Snort doesn't do well. Unfortunately.
>> So this isn't that unexpected.
>>
>> I'd only run those rulesets where you can afford the cycles. or run a
>> second snort for these alone and turn off everything in it's config to
>> streamline some.
>>
>> Matt
>>
>> jlay@slave-tothe-box.net wrote:
>>> So here's something interesting. Enabling ANY of the below rulesets
>>> results in snort using 100% CPU:
>>>
>>> emerging-botcc.rules emerging-compromised.rules emerging-drop.rules
>>> emerging-dshield.rules emerging-rbn.rules emerging-tor.rules
>>>
>>> Without snort uses around 49%. Using 2.8.4.1 with about 700K average
>>> traffic. Any thoughts? Thanks.
>>>
>>> James
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> --------- The NEW KODAK i700 Series Scanners deliver under ANY
>>> circumstances! Your production scanning environment may not be a
>>> perfect world - but thanks to Kodak, there's a perfect scanner to get
>>> the job done! With the NEW KODAK i700 Series Scanner you'll get full
>>> speed at 300 dpi even with all image processing features enabled.
>>> http://p.sf.net/sfu/kodak-com
>>> _______________________________________________ Snort-users mailing
>>> list Snort-users@lists.sourceforge.net Go to this URL to change user
>>> options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>> list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> -- -------------------------------------------- Matthew Jonkman
>> Emerging Threats Phone 765-429-0398 Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> -----------------------------------------------------------------------
>> ------- The NEW KODAK i700 Series Scanners deliver under ANY
>> circumstances! Your production scanning environment may not be a
>> perfect world - but thanks to Kodak, there's a perfect scanner to get
>> the job done! With the NEW KODAK i700 Series Scanner you'll get full
>> speed at 300 dpi even with all image processing features enabled.
>> http://p.sf.net/sfu/kodak-com
>> _______________________________________________ Snort-users mailing
>> list Snort-users@lists.sourceforge.net Go to this URL to change user
>> options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
> -------------------------------------------------------------------------
> ----- The NEW KODAK i700 Series Scanners deliver under ANY circumstances!
> Your production scanning environment may not be a perfect world - but
> thanks to Kodak, there's a perfect scanner to get the job done! With the
> NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with
> all image processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________ Snort-users mailing list
> Snort-users@lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users