Re: Snort CPU consumptions

[Patrick Mullen <pmullen () sourcefire com>]

Hello!

This is a good question, and the answer may not be what you expect at first.

The "problem" is that snort checks the port LAST*, so that rule would, in
fact, be seen as a poor performer.  The reason we check the port last is
because we found that with properly written rules, the port check would
almost always succeed.  Early versions of snort checked ports first and it
was actually slower overall this way.

It's worth noting that your example rule would be a poor performer
regardless of the pcre used because it doesn't have a content match, which
means it would enter on EVERY packet, especially since you also didn't
include a "flow" option.  All rules should have a good content match that
will help snort know if it should bother evaluating any of the rule options
and a flow option to further reduce the number of packets it evaluates.

(*) Rules that use some preprocessors, like http_inspect, in some ways
effectively check the port first because http_inspect has its own rule
option tree and that tree is only run on ports that are seen and/or
configured as http, but in general you should never assume the port
specification is going to provide any performance benefits.


Thanks,

~Patrick


On Wed, Jan 8, 2014 at 11:35 AM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:

> Hi
>
> Let us consider a snort signature with a CPU expensive PCRE match as show
> below[1].
>
> Would the PCRE consume a lot of CPU cycles if the entire traffic which
> this snort saw is just port 80 to the HOME_NET ?
>
> [1]
> alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE";
> pcre:"/.+/i"; rev:1; sid:100001)
>
> My answer would be no ?  Is there any other contradicting answer to the
> same ?  My doubt is due to the fact that I saw a peculiar case where the
> traffic was not on port 888 and still this sort of a rule managed to bubble
> up the worst performers in pref-profiling.
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.blog.etutorshop.com
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!