Snort mailing list archives
Rules vs performance
From: "Robinson, Ken" <ken.robinson () ccra-adrc gc ca>
Date: Thu, 10 May 2001 15:41:30 -0400
Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up, we detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules vs performance Robinson, Ken (May 10)
- <Possible follow-ups>
- RE: Rules vs performance Kevin Brown (May 10)
- RE: Rules vs performance Jean-Francois Zwobada (May 11)
- RE: Rules vs performance Robinson, Ken (May 11)