Snort mailing list archives
R: Catch rate testing with VRT free ruleset
From: Romagnoli Andrea <andrea.romagnoli () it telecomitalia it>
Date: Fri, 29 Jul 2016 15:56:57 +0000
Hi Joel, Thank you for your feedback! At the moment we are running all VRT free rules and we are not dropping any packets due to high traffic rate (or other reasons). Which preprocessor configuration could cause this effect? We are using default conf file, except for stream5_global variable (we added memcap and increased TCP/UDP max connections), setting HOME_NET, daq PF_RING variables and some secondary parameters like rules directory location, ip reputation lists location, so on and so forth. I can share the conf if could be helpful. Thank you Best regards, Andrea -----Messaggio originale----- Da: Joel Esler (jesler) [mailto:jesler () cisco com] Inviato: venerdì 29 luglio 2016 00:39 A: Romagnoli Andrea Cc: snort-users () lists sourceforge net Oggetto: Re: [Snort-users] Catch rate testing with VRT free ruleset This could depend on configuration of your preprocessors, and what rules you are running, as well as how many packets you are dropping. Our catch rate for Breaking Point is much much higher.
On Jul 28, 2016, at 11:56 AM, Andrea Romagnoli <andrea.romagnoli () it telecomitalia it> wrote: Hello everyone. We installed Snort 2.9.8.3 (Build 383) with PF_RING on a server with 2 Xeon CPU, 256GB RAM and Ubuntu 14.04.1: our aim is to test Snort in IPS inline mode using IXIA's Breaking Point (traffic generator) We are doing a catch rate testing using updated VRT Free ruleset. Trying hundreds attacks ordered by year (from 2008 to 2015) we reached a catch rate of approximately ~45% (lower: 34.83% with 2008 attacks, higher: 47.08% with 2015 attacks). In our testbed we enabled all rulesets and we put them in "reject" mode. Do you think that those results are reasonable for a free ruleset such as VRT Free, or we could do a bit more? What results we could expect with VRT Pro? Best regards, Andrea ---------------------------------------------------------------------- -------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Catch rate testing with VRT free ruleset Andrea Romagnoli (Jul 28)
- Re: Catch rate testing with VRT free ruleset Joel Esler (jesler) (Jul 28)
- R: Catch rate testing with VRT free ruleset Romagnoli Andrea (Jul 29)
- Re: Catch rate testing with VRT free ruleset Joel Esler (jesler) (Jul 28)