Snort mailing list archives
Re: Catch rate testing with VRT free ruleset
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 28 Jul 2016 22:39:07 +0000
This could depend on configuration of your preprocessors, and what rules you are running, as well as how many packets you are dropping. Our catch rate for Breaking Point is much much higher.
On Jul 28, 2016, at 11:56 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote: Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test Snort in IPS inline mode using IXIA's Breaking Point (traffic generator) We are doing a catch rate testing using updated VRT Free ruleset. Trying hundreds attacks ordered by year (from 2008 to 2015) we reached a catch rate of approximately ~45% (lower: 34.83% with 2008 attacks, higher: 47.08% with 2015 attacks). In our testbed we enabled all rulesets and we put them in "reject" mode. Do you think that those results are reasonable for a free ruleset such as VRT Free, or we could do a bit more? What results we could expect with VRT Pro? Best regards, Andrea ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Catch rate testing with VRT free ruleset Andrea Romagnoli (Jul 28)
- Re: Catch rate testing with VRT free ruleset Joel Esler (jesler) (Jul 28)
- R: Catch rate testing with VRT free ruleset Romagnoli Andrea (Jul 29)
- Re: Catch rate testing with VRT free ruleset Joel Esler (jesler) (Jul 28)