Re: 2.8.4 performance improvements

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Good to know.  Has anyone done this?  Did you notice any appreciable performance improvement?  What about the rules 
that I listed below?  What will happen to those rules, do they just not get processed, or do they only get processed 
for sessions that don't need to be reassembled, or require the entire stream?

--
Shawn

________________________________
From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings
Sent: April 27, 2009 10:29 AM
To: keith () sourcefire com
Cc: Jefferson, Shawn; snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 performance improvements

Correct, you can do this by protocol also....
On Mon, Apr 27, 2009 at 11:17 AM, Keith Konecnik <kkonecnik () sourcefire com<mailto:kkonecnik () sourcefire com>> 
wrote:
In stream5 you have the ability to turn on and off the ignore any any rules option.

-k

On Mon, Apr 27, 2009 at 12:53 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () 
bcferries com>> wrote:
Hi,

One of things that was talked about in the webcast on 2.8.4 was a performance improvement, but the trade-off is that 
rules with Any -> Any won't be processed by some of the pre-processor's (like Stream5).  I was curious about how many 
rules are Any -> Any, and in my configuration (files with none are removed):

attack-responses.rules:1
bad-traffic.rules:4
deleted.rules:5
dns.rules:2
emerging-attack_response.rules:2
emerging-malware.rules:1
emerging-p2p.rules:6
emerging-policy.rules:31
emerging-scan.rules:7
emerging-virus.rules:34
exploit.rules:4
icmp.rules:3
policy.rules:2
tftp.rules:8

So, my question is, is it worth turning this new feature on?  Is anyone else using it yet?  Better performance sounds 
good...

Thanks,
Shawn





------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users