Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Performance

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 10 Sep 2002 09:40:14 -0700 (PDT)
On Tue, 10 Sep 2002 jsp1999 () gmx de wrote:


Snort is a great tool that offers convenient ways to customize the network
traffic that should be monitored.


Errr...  Snort is an intrusions detection program.  Network monitoring needs
to be left to the likes of ntop and iptraf.


Unfortunately we found out that there is a big problem if nearly all the
available rules are used during operation.


Yes, that's right.  Why do you think we say "tune your ruleset for your
network?"  :)


Snort does not look at all the packets, it often simply skips packets. On
a highly loaded network this gets worse - more and more packets are simply
not analyzed.

Isn't this very dangerous, because many exploits require only a few
packets to perform an exploit and to compromise machines?


Again, that's why you tune your rules.  :)  Check the archives, that's been
said from day one.


When we had an in depth look at the source code of snort, we saw that
there are the RTN and OTN structures for storing the individual rules
which have to be iterated through every time a new packet is matched.

We consider this not to be optimal, because of the many ANY parts in the
source and destination IPs. Has anybody thought about optimizing this
basic data structure? Will this be improved in Snort 2.0 (we found some
PPT presentations on the web)? Are there any chances for improving the
ratio of investigated packets / actual packets on the network?


Why is it not optimal?  Care to elaborate?  As for the 'any parts', well...
We often tell folks to put the more specific rules at the top of the config to
improve performance.  Please check the archives on this--It's there. :)

Snort 2.0 will be different.  Many things will have changed.  But, we're not
there yet.  We've got to get 1.9 out of the door before 2.0 can be worried
with.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: