Rules vs performance

["Robinson, Ken" <ken.robinson () ccra-adrc gc ca>]

Hello,

Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?   

In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks.     CPU usage was high, but not
peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.  

I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging? 

We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS),  or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules).    We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.  

So, any advise for us?   Should we use Activate rules as much as possible?
Should we generalize rules?   Or is all of this not going to make much of a
difference? 

Thanks. 

----
Ken Robinson




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users