Snort mailing list archives
lots or rules loaded and snort performance
From: Pedro Marinho <pppmarinho () gmail com>
Date: Fri, 5 Nov 2010 19:24:09 -0200
Hello Gentlemen, Some months ago i was having a problem with high drop packet rates at my sensors. I am trying to consolidate all the rules i need in one file to solve this problem. first i issue this command to create a file with the rules msg egrep -i '(MALWARE|WORM|Cisco|BrightStor|Shockwave|Microsoft|Adobe|MS-SQL|IBM|IIS|Symantec|Oracle|TROJAN|USER_AGENTS)' ETregras2.8.4/rules/*.rules | grep -i -G msg:"\w*" | cut -d\" -f2| cut -d";" -f1 > free2.txt then i did a tiny perl script to read from that file and throw the rules at one file.. grabing the exit with '>' operator at shell like perl myscript.pl> somefile.rules open(XYZ,"free2.txt"); while(<XYZ>){ $rule_msg = $_; chomp($rule_msg); $regra = `grep -i '$rule_msg' ETregras2.8.4/rules/*.rules`; if($regra ne 'EOF'){ if($regra =~ s/(^ETregras2\.8\.4\/rules\/emerging-.+\.rules\:)(.+)/$2/) { print("$regra\n"); }#fim do if }#fim if $regra nao e fim de arquivo }#fim enquanto nao eof close(XYZ); the odd is that during the script execution i am getting some warnings.. i am not a perl monk btw sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file sh: -c: line 0: syntax error near unexpected token `(' my question is.. how do you people remove rules that you donĀ“t need ? you all do like Jason had suggested ? he did say "just get the sid and then I add them to my oinkmaster file to be disabled". I am asking because seems like if you have a large number of rules loaded at the detection engine is not good to performance. Specially rules that match for IP values. Bad performance leads to increase the risk of false negatives.. any suggestions ? 2009/6/17 Jason Wallace <jason.r.wallace () gmail com>
from my past experience i would say 6700 rules is kind of a lot. Take a look at page 84 "2.4.1 Rule Profiling"... http://www.snort.org/assets/82/snort_manual.pdf Set that up to determine what rules are the most intensive and determine if you really need those enabled. Also... I usually also 'grep -i' through the rule files I use looking for things in the messages that I know I do have in my environment... Novell WhatsUpGold ClamAV sendmail Solaris McAfee Symantec BrightStor example... grep -i brightstor /etc/snort/vrt/*.rules make sure these rules are really related to brightstor then... grep -i brightstor /etc/snort/vrt/*.rules | grep -Po sid\:[0-9]*\; | cut -d: -f2| cut -d";" -f1 to just get the sid and then I add them to my oinkmaster file to be disabled. Hope this helps. On Wed, Jun 17, 2009 at 10:23 AM, Pedro Marinho<pppmarinho () gmail com> wrote:Jason, i did with the -T switch.. i did forgot that you ccan up snort in testmodewith the -T option +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 6713 Snort rules read 6713 detection rules 0 decoder rules 0 preprocessor rules 6713 Option Chains linked into 315 Chain Headers 0 Dynamic rules so this is too much rules?
2010/5/28 Joel Esler <jesler () sourcefire com>
Pedro, You should be aiming for 0% packet loss. You should disable any rules that do not apply to your environment. -- Sent from my iPad Joel Esler 302-223-5974 Jabber:jesler () sourcefire com <Jabber%3Ajesler () sourcefire com>
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- lots or rules loaded and snort performance Pedro Marinho (Nov 05)
- Message not available
- Re: [Emerging-Sigs] lots or rules loaded and snort performance Pedro Marinho (Nov 05)
- Message not available
- Message not available
- Re: [Emerging-Sigs] lots or rules loaded and snort performance Pedro Marinho (Nov 05)
- Re: [Emerging-Sigs] lots or rules loaded and snort performance Jason Wallace (Nov 05)
- Re: [Emerging-Sigs] lots or rules loaded and snort performance Pedro Marinho (Nov 05)