Re: Rule efficiency

[Korodev <korodev () gmail com>]

On Fri, Jul 23, 2010 at 12:56 PM, Alex Kirk <akirk () sourcefire com> wrote:
> Multiple rules should be faster, due to the way Snort works. Snort's first
> step for any packet is to use the fast pattern matcher to find appropriate
> packets to operate on; the patterns used are based on the port used in the
> rule, and either the longest static string specified in a content clause, or
> the content clause specifically declared to be used by the "fast_pattern"
> keyword. If the fast pattern matcher finds something, the rest of the rule
> options are evaluated in order.
> For cases where you've got a really small pattern, you're going to get a lot
> more matches out of the fast pattern matcher, and thus force Snort to do
> more work. Since the fast pattern matcher is, well, fast (so much so that
> the dev team has called additional fast pattern checks "nearly free"), it
> makes clear sense to get it to do as much sorting as possible for you before
> you dig into the rules themselves.

While we're on this topic, can you elaborate on how this scales to
rules with strict IP matches (no content)? If have a bad IP list I
want to convert to snort rules, is it more efficient to split these up
across more or less rules, and is there any known threshold for the
most optimum number of IP's per rule? Does it matter if the IP's are
properly sorted and grouped?

\\korodev

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users