Subnet list in HOME_NET affects performance?

[Lai Zit Seng <laizs () comp nus edu sg>]

I have a network with multiple subnets that are not completely adjacent,
so I am forced to specify a list of CIDR subnets in my HOME_NET variable.
I observed that snort seems to be missing quite a lot of attacks, so I
started to do some testing.

I configured an alert rule to catch an ICMP probe from a specific external
host into my internal network. Then I go to that external host and start
pinging back into my HOME_NET. I check my alert log and my ping activity
and observe that the "majority" of the ping probes are not reported (eg,
80% loss).

Then I changed my HOME_NET to a single subnet with a netmask big enough to
somewhat cover all my actual subnets. In this configuration, snort logs
correctly ALL my ping probes.

So my question... does spcifying a subnet list in HOME_NET severely affect
snort's performance?

Some background:

I did the above test using the current CVS daily snapshot, using the 1.8
rules largely unmodified except for HOME_NET. Snort is running on a dual
processor Pentium III 450MHz with 512MB RAM and using a 3Com 3c905 for the
sniffing interface.

Regards,

.lzs


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users