Re: Any suggestions to lower drop rates on this setup?

[Matt Kettler <mkettler () evi-inc com>]

Well, your logging options look reasonable, matching the help docs 
recommendations for speed, as does your command line.

I would definitely look closely at your rules and try to streamline them.

        First, make sure HOME_NET is not defined as "any".. define it to a 
specific IP range if at all possible. The more specific the IP address/port 
options for your ruleset are, the fewer possible content matches snort has 
to apply per packet. You seem to have a moderate amount of rules, with what 
strikes me as relatively few chain headers.. I'm running slightly fewer 
total rules (~810) with >300 chain headers using snort 1.8.2 and a 
mostly-stock ruleset. I may be wildly off-base, I'm not exactly an expert 
at this, but I have the impression that more chain headers allows more 
specific tcp/ip header matching and (hopefully) fewer content searches per 
packet.


        Next, try to remove rules that you don't need. If you don't have 
any IIS servers, remove IIS specific rules.. if you're a MS only shop, kill 
off *nix specific rules.. This is particularly helpful for rules without 
specific ports in them. Admittedly it is nice to have a broad ruleset to be 
aware of everyone poking at your network, but it is more important (in my 
opinion anyway) to not drop packets for the attacks that are directed at 
the platforms you are running.

        If you have any of your own, in-house custom rules, look at them 
closely.. make the TCP/IP header options (ports, source/destination IPs) as 
specific as possible to reduce the number of packets they match. For your 
content sections, try to avoid repetitive sequences of characters in 
content matches. The Boyer-Moore pattern match algorithm snort uses is much 
more efficient at non repetitive strings like "w4r3z" than repetitive ones 
like "aaaah".

        I'm basing a lot of this advice on the "Writing snort rules" 
section of Martin's 1999 USENIX paper on snort. I think I understand him 
correctly, but you should double-check me. If nothing else, it will give 
you a good view of how snort works, and what things in rules affect its 
performance.

http://www.usenix.org/events/lisa99/full_papers/roesch/roesch.pdf


        Lastly, if your snort sensor is behind a router that drops packets 
with bad checksums, try turning off snort's checksumming with "-k none" or 
"-k noip" as appropriate.


At 04:26 PM 12/20/2001 -0600, you wrote:
> 885 Snort rules read...
> 885 Option Chains linked into 108 Chain Headers
> 0 Dynamic rules


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users