Re: Certin ET rulesets and 100 percent usage.

[Martin Roesch <roesch () sourcefire com>]

Yeah, you're hitting the rule chains iteratively and that's just not
going to perform.  If you want to filter large sets of IP addresses
that would be more properly implemented as a preprocessor with
dedicated functionality.

Marty

On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman () jonkmans com> wrote:
> Straight IP matching is something Snort doesn't do well. Unfortunately.
> So this isn't that unexpected.
>
> I'd only run those rulesets where you can afford the cycles. or run a
> second snort for these alone and turn off everything in it's config to
> streamline some.
>
> Matt
>
> jlay () slave-tothe-box net wrote:
> > So here's something interesting.  Enabling ANY of the below rulesets
> > results in snort using 100% CPU:
> >
> > emerging-botcc.rules
> > emerging-compromised.rules
> > emerging-drop.rules
> > emerging-dshield.rules
> > emerging-rbn.rules
> > emerging-tor.rules
> >
> > Without snort uses around 49%.  Using 2.8.4.1 with about 700K average
> > traffic.  Any thoughts?  Thanks.
> >
> > James
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> > production scanning environment may not be a perfect world - but thanks to
> > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> > Series Scanner you'll get full speed at 300 dpi even with all image
> > processing features enabled. http://p.sf.net/sfu/kodak-com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users