Snort mailing list archives
Re: Snort CPU consumptions
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Thu, 9 Jan 2014 09:14:57 +0530
On Wed, Jan 8, 2014 at 11:31 PM, Patrick Mullen <pmullen () sourcefire com>wrote:
Hello! This is a good question, and the answer may not be what you expect at first. The "problem" is that snort checks the port LAST*, so that rule would, in fact, be seen as a poor performer. The reason we check the port last is because we found that with properly written rules, the port check would almost always succeed. Early versions of snort checked ports first and it was actually slower overall this way.
Wow superb this is the answer I was looking for :-), If you have it at the top of your head as to which version onward the port check was pushed to LAST please key it in ?
It's worth noting that your example rule would be a poor performer regardless of the pcre used because it doesn't have a content match, which means it would enter on EVERY packet, especially since you also didn't include a "flow" option. All rules should have a good content match that will help snort know if it should bother evaluating any of the rule options and a flow option to further reduce the number of packets it evaluates.
The rule specified in my email trail is not the one I use in production. I created it as an example just to ensure that it looks like a worst performer [?]
(*) Rules that use some preprocessors, like http_inspect, in some ways effectively check the port first because http_inspect has its own rule option tree and that tree is only run on ports that are seen and/or configured as http, but in general you should never assume the port specification is going to provide any performance benefits. Thanks, ~Patrick -- Patrick Mullen Response Research Manager Sourcefire VRT
-- Regards, Balasubramaniam Natarajan www.blog.etutorshop.com
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions Patrick Mullen (Jan 08)
- Re: Snort CPU consumptions waldo kitty (Jan 08)
- Re: Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions Balasubramaniam Natarajan (Jan 08)
- Re: Snort CPU consumptions waldo kitty (Jan 08)
- Re: Snort CPU consumptions Patrick Mullen (Jan 08)