Snort mailing list archives
Re: Snort 2.8.6 performance
From: Matt Olney <molney () sourcefire com>
Date: Fri, 8 Oct 2010 18:50:21 -0400
From a performance perspective, there are three rules we need to address:
4677, 4676 and 17468. Those three rules address significantly older bugs, and I'd recommend you disable them unless you need them for known vulnerabilities. A fix to those three bugs will be in the next rule release. I know you have 10 rules on your list, but a majority of them have a very low check number. These three have a high microsecond evaluation time and a large number of checks. Matt On Fri, Oct 8, 2010 at 5:58 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
Hi, My suspicion is that this is rule related somehow... I turned off the so_rules and that didn't make any difference, and I also turned off the attribute table just for fun, since the one I load is pretty big. Nothing... so I reconfigured/recompiled to allow rule performance checks. timestamp: 1286574608 Rule Profile Statistics (worst 10 rules) ========================================================== Num SID GID Rev Checks Matches Alerts Microsecs Avg/Check Avg/Match Avg/Nonmatch === === === === ====== ======= ====== ========= ========= ========= ============ 1 4677 1 3 100664 0 0 615540707 6114.8 0.0 6114.8 2 13272 1 3 6 0 0 17891 2981.9 0.0 2981.9 3 11324 1 4 21 0 0 39429 1877.6 0.0 1877.6 4 17468 1 1 33163 0 0 44821199 1351.5 0.0 1351.5 5 10504 1 2 68 0 0 8006 117.7 0.0 117.7 6 10505 1 2 68 0 0 8002 117.7 0.0 117.7 7 4676 1 3 33076 0 0 1931555 58.4 0.0 58.4 8 17666 1 1 594 0 0 13802 23.2 0.0 23.2 9 17495 1 1 2 0 0 42 21.2 0.0 21.2 10 15910 1 5 232 0 0 3869 16.7 0.0 16.7 I commented out rule 4677 and am running snort on my sensor again to see if that will help. Anybody know anything about this rule and if it may have recently changed? There's a very non-unique content match: "GET" and then a PCRE... -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Friday, October 08, 2010 12:36 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.8.6 performance On 10/8/2010 13:19, Jefferson, Shawn wrote:Has anyone else noticed performance (dropped packets), really take a divetoday?I'm missing about 20-30% of packets now... on a sensor that was runninggreat atabout 100-200 mb/s until just today/last night. According to my snortstatsthere isn't anything unusual as far as stream or frag events go, but thesnortprocess is using 100% CPU today. I'm using the VRT paid subscriptionrules. please quote back your "snort -V" output... your config may also be needed... possible you found a bug or some way that someone is trying to evade IDS several other factors... ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.8.6 performance Jefferson, Shawn (Oct 08)
- Re: Snort 2.8.6 performance waldo kitty (Oct 08)
- Re: Snort 2.8.6 performance Jefferson, Shawn (Oct 08)
- Re: Snort 2.8.6 performance Matt Olney (Oct 08)
- Re: Snort 2.8.6 performance Jefferson, Shawn (Oct 08)
- Re: Snort 2.8.6 performance Jefferson, Shawn (Oct 08)
- Re: Snort 2.8.6 performance waldo kitty (Oct 08)