Snort mailing list archives

Re: Certin ET rulesets and 100 percent usage.

From: "Randal T. Rioux" <randy () procyonlabs com>
Date: Thu, 7 May 2009 21:39:04 -0400 (EDT)

Forgive me if I'm wrong, but isn't using Snort to implement an IP
blocklist sub-optimal? Isn't this a better task for your firewall?

I just think an IDS should stick to what it does best.

Randy


On Thu, May 7, 2009 6:38 pm, Martin Roesch wrote:

Yeah, you're hitting the rule chains iteratively and that's just not
going to perform.  If you want to filter large sets of IP addresses that
would be more properly implemented as a preprocessor with dedicated
functionality.

Marty

On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman () jonkmans com>
wrote:

Straight IP matching is something Snort doesn't do well. Unfortunately.
 So this isn't that unexpected.

I'd only run those rulesets where you can afford the cycles. or run a
second snort for these alone and turn off everything in it's config to
streamline some.

Matt

jlay () slave-tothe-box net wrote:

So here's something interesting.  Enabling ANY of the below rulesets
results in snort using 100% CPU:

emerging-botcc.rules emerging-compromised.rules emerging-drop.rules
emerging-dshield.rules emerging-rbn.rules emerging-tor.rules

Without snort uses around 49%.  Using 2.8.4.1 with about 700K average
 traffic.  Any thoughts?  Thanks.

James




---------------------------------------------------------------------
--------- The NEW KODAK i700 Series Scanners deliver under ANY
circumstances! Your production scanning environment may not be a
perfect world - but thanks to Kodak, there's a perfect scanner to get
the job done! With the NEW KODAK i700 Series Scanner you'll get full
speed at 300 dpi even with all image processing features enabled.
http://p.sf.net/sfu/kodak-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- -------------------------------------------- Matthew Jonkman
Emerging Threats Phone 765-429-0398 Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-----------------------------------------------------------------------
------- The NEW KODAK i700 Series Scanners deliver under ANY
circumstances! Your production scanning environment may not be a
perfect world - but thanks to Kodak, there's a perfect scanner to get
the job done! With the NEW KODAK i700 Series Scanner you'll get full
speed at 300 dpi even with all image processing features enabled.
http://p.sf.net/sfu/kodak-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-------------------------------------------------------------------------
----- The NEW KODAK i700 Series Scanners deliver under ANY circumstances!
Your production scanning environment may not be a perfect world - but
thanks to Kodak, there's a perfect scanner to get the job done! With the
NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with
all image processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________ Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL to change user options
or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Certin ET rulesets and 100 percent usage. jlay (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)
  - Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
    - Re: Certin ET rulesets and 100 percent usage. Randal T. Rioux (May 07)
    - Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
    - Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)