Snort mailing list archives
Re: Certin ET rulesets and 100 percent usage.
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 08 May 2009 09:22:11 -0400
Quick question for you Marty. Eion and Joel Esler both have made the point that if we split the IP matching rules from a single "alert ip " into two "alert tcp" and "alert udp" we'll get a significant performance increase. (which I'm implementing today) I know we'll miss icmp then, but that's not a big deal. But what causes the performance gain here? Doesn't make sense on the surface. Thanks! Matt Martin Roesch wrote:
Yeah, you're hitting the rule chains iteratively and that's just not going to perform. If you want to filter large sets of IP addresses that would be more properly implemented as a preprocessor with dedicated functionality. Marty On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman () jonkmans com> wrote:Straight IP matching is something Snort doesn't do well. Unfortunately. So this isn't that unexpected. I'd only run those rulesets where you can afford the cycles. or run a second snort for these alone and turn off everything in it's config to streamline some. Matt jlay () slave-tothe-box net wrote:So here's something interesting. Enabling ANY of the below rulesets results in snort using 100% CPU: emerging-botcc.rules emerging-compromised.rules emerging-drop.rules emerging-dshield.rules emerging-rbn.rules emerging-tor.rules Without snort uses around 49%. Using 2.8.4.1 with about 700K average traffic. Any thoughts? Thanks. James ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Certin ET rulesets and 100 percent usage. jlay (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Randal T. Rioux (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)