Snort mailing list archives
Re: Certin ET rulesets and 100 percent usage.
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 7 May 2009 18:38:46 -0400
Yeah, you're hitting the rule chains iteratively and that's just not going to perform. If you want to filter large sets of IP addresses that would be more properly implemented as a preprocessor with dedicated functionality. Marty On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman () jonkmans com> wrote:
Straight IP matching is something Snort doesn't do well. Unfortunately. So this isn't that unexpected. I'd only run those rulesets where you can afford the cycles. or run a second snort for these alone and turn off everything in it's config to streamline some. Matt jlay () slave-tothe-box net wrote:So here's something interesting. Enabling ANY of the below rulesets results in snort using 100% CPU: emerging-botcc.rules emerging-compromised.rules emerging-drop.rules emerging-dshield.rules emerging-rbn.rules emerging-tor.rules Without snort uses around 49%. Using 2.8.4.1 with about 700K average traffic. Any thoughts? Thanks. James ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Certin ET rulesets and 100 percent usage. jlay (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Randal T. Rioux (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)