Snort mailing list archives

Re: Rule Selection

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Fri, 11 Feb 2005 11:20:15 +0000



--On 10 February 2005 23:15 -0800 Rudi Starcevic <tech () wildcash com> wrote:

 >>  Depends on what your're looking for. I run some snort sensors "wide
open" in order to monitor and profile all the attacks
 >> that are occuring. In other cases, only selected rules are
enabled.Miner, Jonathan W (CSC) (US SSA) wrote:

Well I am very interested to know all attacks that may be ocurring but
network performance is our main concern.
This box is a commercial web app that stream digital media so it must
have the best network speed it can.

I suspect you're either deploying snort in an unusual way, or you'remisunderstanding what it does.


Snort will not have any impact on the performance of the streaming, unless:

a) you're running it on the same machine as the stream server(s). Don't dothat.

b) you're using your switch's SPAN port, and it can't keep up. Buy a betterswitch, or use a passive tap.


c) you're using snort in inline mode.


Let say only port 80 is open.
Which of the two would run faster

a) Smort with all rules loaded
b) Smort with only port 80 rules loaded.

I tend to think it makes no difference. If port 80 is not being used
snort will not apply those rules.
Am I correct?

AFAIK, it depends on the traffic that snort sees. If you have 1000 port 80rules and 10 port 23 rules (say), then snort will perform (almost)identically in both these scenarios:


1) if you have all 1010 rules enabled, but there's no port 80 traffic
2) if you have only the port 23 rules enabled

If some port 80 traffic starts appearing, then the 1000 port 80 rulesenabled in scenario 1 will be checked and snort will need more resources,or ignore ("drop") packets.

Cheers
Rudi


HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule Selection Rudi Starcevic (Feb 09)
- Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 10)
- Re: Rule Selection Jose Maria Lopez (Feb 10)
- RE: Rule Selection Adam Kliarsky (Feb 21)
- <Possible follow-ups>
- RE: Rule Selection Miner, Jonathan W (CSC) (US SSA) (Feb 10)
  - Re: Rule Selection Rudi Starcevic (Feb 10)
    - Re: Rule Selection Matt Kettler (Feb 10)
    - Re: Rule Selection Alex Butcher, ISC/ISYS (Feb 11)