Re: [Snort-users] Certin ET rulesets and 100 percent usage.

From: Matt Jonkman <jonkman_at_nospam>
Date: Fri May 08 2009 - 13:19:37 GMT
To: "Randal T. Rioux" <randy@procyonlabs.com>

Religious argument so I won't beat it too much. But many places haven't the easy ability to add massive numbers of rules to firewalls. Can you imagine sticking all of the RBN and compromised hosts into a checkpoint firewall via the gui every 24 hours? Or a sonicwall? There's a nice little hell. And then reconciling the ones that have dropped out of being labeled hostile and removing those.... etc

And then you have the folks that just have a router on the perimeter, and depending on the model you may not have the ram to have a shun route for every IP, you have to go with just those that you've seen and remove them after the timeout (snortsam functionality)

So ya, in an ideal world firewalls are best for blocking and massive IP matching. But in reality it's difficult to use this threat data in that way.

Matt

Randal T. Rioux wrote:
> Forgive me if I'm wrong, but isn't using Snort to implement an IP
> blocklist sub-optimal? Isn't this a better task for your firewall?
>
> I just think an IDS should stick to what it does best.
>
> Randy
>
>
> On Thu, May 7, 2009 6:38 pm, Martin Roesch wrote:
>> Yeah, you're hitting the rule chains iteratively and that's just not >> going to perform. If you want to filter large sets of IP addresses that >> would be more properly implemented as a preprocessor with dedicated >> functionality. >> >> Marty >> >> On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman@jonkmans.com> >> wrote: >>> Straight IP matching is something Snort doesn't do well. Unfortunately. >>> So this isn't that unexpected. >>> >>> I'd only run those rulesets where you can afford the cycles. or run a >>> second snort for these alone and turn off everything in it's config to >>> streamline some. >>> >>> Matt >>> >>> jlay@slave-tothe-box.net wrote: >>>> So here's something interesting. Enabling ANY of the below rulesets >>>> results in snort using 100% CPU: >>>> >>>> emerging-botcc.rules emerging-compromised.rules emerging-drop.rules >>>> emerging-dshield.rules emerging-rbn.rules emerging-tor.rules >>>> >>>> Without snort uses around 49%. Using 2.8.4.1 with about 700K average >>>> traffic. Any thoughts? Thanks. >>>> >>>> James >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> --------- The NEW KODAK i700 Series Scanners deliver under ANY >>>> circumstances! Your production scanning environment may not be a >>>> perfect world - but thanks to Kodak, there's a perfect scanner to get >>>> the job done! With the NEW KODAK i700 Series Scanner you'll get full >>>> speed at 300 dpi even with all image processing features enabled. >>>> http://p.sf.net/sfu/kodak-com >>>> _______________________________________________ Snort-users mailing >>>> list Snort-users@lists.sourceforge.net Go to this URL to change user >>>> options or unsubscribe: >>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users >>>> list archive: >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users >>> -- -------------------------------------------- Matthew Jonkman >>> Emerging Threats Phone 765-429-0398 Fax 312-264-0205 >>> http://www.emergingthreats.net >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> >>> ----------------------------------------------------------------------- >>> ------- The NEW KODAK i700 Series Scanners deliver under ANY >>> circumstances! Your production scanning environment may not be a >>> perfect world - but thanks to Kodak, there's a perfect scanner to get >>> the job done! With the NEW KODAK i700 Series Scanner you'll get full >>> speed at 300 dpi even with all image processing features enabled. >>> http://p.sf.net/sfu/kodak-com >>> _______________________________________________ Snort-users mailing >>> list Snort-users@lists.sourceforge.net Go to this URL to change user >>> options or unsubscribe: >>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users >>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users >>> >> >> >> -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 >> Sourcefire - Security for the Real World - http://www.sourcefire.com >> Snort: Open Source IDP - http://www.snort.org >> >> ------------------------------------------------------------------------- >> ----- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! >> Your production scanning environment may not be a perfect world - but >> thanks to Kodak, there's a perfect scanner to get the job done! With the >> NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with >> all image processing features enabled. http://p.sf.net/sfu/kodak-com >> _______________________________________________ Snort-users mailing list >> Snort-users@lists.sourceforge.net Go to this URL to change user options >> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users >> Snort-users list archive: >> http://www.geocrawler.com/redir-sf.php3?list=snort-users >>
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Matt Jonkman: "Re: [Snort-users] Certin ET rulesets and 100 percent usage."
Previous message: firnsy: "Re: [Snort-users] Understanding Snort and mysql vs Barnyard and mysql"
In reply to: Randal T. Rioux: "Re: [Snort-users] Certin ET rulesets and 100 percent usage."
Next in thread: Matt Jonkman: "Re: [Snort-users] Certin ET rulesets and 100 percent usage."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]