Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Performance

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 10 Sep 2002 13:51:52 -0400
At 09:40 AM 9/10/2002 -0700, Erek Adams wrote:

> We consider this not to be optimal, because of the many ANY parts in the
> source and destination IPs. Has anybody thought about optimizing this
> basic data structure? Will this be improved in Snort 2.0 (we found some
> PPT presentations on the web)? Are there any chances for improving the
> ratio of investigated packets / actual packets on the network?

Why is it not optimal?  Care to elaborate?
I'd agree.. I'd like to see someone suggest a structure which handles the "lots of any's" case in a noticeably better manner than the existing system without completely ruining performance for well specified systems. Your existing statement strikes me as a bit like calling a compression algorithm "not optimal" because it fails in the worst-case input (ie: true random data, which ALL compression algorithms must fail on).
As for the "lots of any's".. I don't seem to have very many myself. But then again, I define EXTERNAL_NET as !HOME_NET instead of ''any" and I've also tweaked a few rules to use specific IP's or subnets instead of any. But these tweaks need to be done in light of my particular network. Hence this is really a "optimize your ruleset for your network" problem rather than a "optimize snort to handle all cases, including the one which cannot be optimized".
I would agree however that perhaps "some of the rules need to be better thought out and use HOME_NET and EXTERNAL_NET where appropriate" is a fair statement. ie: virus rules might consider having "LOCAL_POP_CLIENTS" instead of 'any' in them. 

so:
any 110 -> any any
becomes:
any 110 -> $LOCAL_POP_CLIENTS any
and default LOCAL_POP_CLIENTS to any, and suggest $HOME_NET as a good alternative.
But that's not really a whole lot of an optimization, since you're not likely to see port 110 in any kind of traffic other than that specific case. This weeds out very few packets in most real networks. 






-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: