snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Certin ET rulesets and 100 percen

Re: [Snort-users] Certin ET rulesets and 100 percent usage.

From: Matt Jonkman <jonkman_at_nospam>
Date: Fri May 08 2009 - 13:22:11 GMT
To: Martin Roesch <roesch@sourcefire.com>


Quick question for you Marty. Eion and Joel Esler both have made the point that if we split the IP matching rules from a single "alert ip " into two "alert tcp" and "alert udp" we'll get a significant performance increase. (which I'm implementing today)

I know we'll miss icmp then, but that's not a big deal. But what causes the performance gain here? Doesn't make sense on the surface.

Thanks!

Matt

Martin Roesch wrote: > Yeah, you're hitting the rule chains iteratively and that's just not > going to perform. If you want to filter large sets of IP addresses > that would be more properly implemented as a preprocessor with > dedicated functionality. > > Marty > > On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman@jonkmans.com> wrote:
>> Straight IP matching is something Snort doesn't do well. Unfortunately.
>> So this isn't that unexpected.
>>
>> I'd only run those rulesets where you can afford the cycles. or run a
>> second snort for these alone and turn off everything in it's config to
>> streamline some.
>>
>> Matt
>>
>> jlay@slave-tothe-box.net wrote:
>>> So here's something interesting. Enabling ANY of the below rulesets
>>> results in snort using 100% CPU:
>>>
>>> emerging-botcc.rules
>>> emerging-compromised.rules
>>> emerging-drop.rules
>>> emerging-dshield.rules
>>> emerging-rbn.rules
>>> emerging-tor.rules
>>>
>>> Without snort uses around 49%. Using 2.8.4.1 with about 700K average
>>> traffic. Any thoughts? Thanks.
>>>
>>> James
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
>>> production scanning environment may not be a perfect world - but thanks to
>>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
>>> Series Scanner you'll get full speed at 300 dpi even with all image
>>> processing features enabled. http://p.sf.net/sfu/kodak-com
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
>> production scanning environment may not be a perfect world - but thanks to
>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
>> Series Scanner you'll get full speed at 300 dpi even with all image
>> processing features enabled. http://p.sf.net/sfu/kodak-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> > > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users