Snort mailing list archives
Re: Snort CPU consumptions
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 08 Jan 2014 20:26:38 -0500
On 1/8/2014 1:01 PM, Patrick Mullen wrote:
Hello! This is a good question, and the answer may not be what you expect at first. The "problem" is that snort checks the port LAST*, so that rule would, in fact, be seen as a poor performer. The reason we check the port last is because we found that with properly written rules, the port check would almost always succeed. Early versions of snort checked ports first and it was actually slower overall this way. It's worth noting that your example rule would be a poor performer regardless of the pcre used because it doesn't have a content match, which means it would enter on EVERY packet, especially since you also didn't include a "flow" option.
so one answer to tuning this rule would be to 1. include a content match 2. include a flow direction but looking at that PCRE, i don't see where it is any more helpful than a simply "any any -> any any" type rule :?
All rules should have a good content match that will help snort know if it should bother evaluating any of the rule options and a flow option to further reduce the number of packets it evaluates. (*) Rules that use some preprocessors, like http_inspect, in some ways effectively check the port first because http_inspect has its own rule option tree and that tree is only run on ports that are seen and/or configured as http, but in general you should never assume the port specification is going to provide any performance benefits. Thanks, ~Patrick On Wed, Jan 8, 2014 at 11:35 AM, Balasubramaniam Natarajan <bala150985 () gmail com <mailto:bala150985 () gmail com>> wrote: Hi Let us consider a snort signature with a CPU expensive PCRE match as show below[1]. Would the PCRE consume a lot of CPU cycles if the entire traffic which this snort saw is just port 80 to the HOME_NET ? [1] alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE"; pcre:"/.+/i"; rev:1; sid:100001) My answer would be no ? Is there any other contradicting answer to the same ? My doubt is due to the fact that I saw a peculiar case where the traffic was not on port 888 and still this sort of a rule managed to bubble up the worst performers in pref-profiling.
-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions Patrick Mullen (Jan 08)
- Re: Snort CPU consumptions waldo kitty (Jan 08)
- Re: Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions waldo kitty (Jan 08)
- Re: Snort CPU consumptions Patrick Mullen (Jan 08)