Re: Snort rules maximum rules per file

[Martin Holste <mcholste () gmail com>]

You are using the wrong tool for URL blocking.  You should be using
squid for this with policy-based routing to transparently redirect all
requests through squid as a transparent proxy.

On Fri, Jul 1, 2011 at 1:12 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:
> Hello,
> no warning was displayed.
> All rules are simple and of the following format:
> alert tcp any any -> any 80 ( content:"URL"; react:; sid:1; )
> The content is changed on every rule which is basically a URL and the SID is
> incremented from 1 to 942099
> My system has 4GB memory. Before using snort 600MB is used and after snort
> full memory is utilized. That is on 2.9.0.5. Now, I have switched to Version
> 2.9.1_beta as the "react" option was not firing on multiple rules.
> I am testing snort with IXIA; but the result are not good as it seems that I
> am not configuring Snort in the right way. I need to achieve blocking for a
> big number of URL's with snort. Do you have any recommendations in this
> regards to tweak and optimize snort performance.
> Thanks,
> On Jun 29, 2011, at 7:52 PM, Russ Combs wrote:
> We have kicked this around internally, and don't have a simple configuration
> suggestion to try so a few questions ...
>
> Did you see any warnings in the startup output when you loaded 942099 rules?
>
> What kind of rules are these?  Are they all very simple rules or rules with
> lots of options?
>
> How much memory does your system have?  How much is used before and after
> starting Snort with all those rules?
>
> Thanks
> Russ
>
> On Sun, Jun 26, 2011 at 1:04 PM, Hussein Bahaidarah <husseinb () gmail com>
> wrote:
> > Hello,
> > I have found after extensive testing that only 131008 rules only fires
> > alert and action. Any rule after that will not take any action.
> > On Jun 25, 2011, at 8:39 PM, Hussein Bahaidarah wrote:
> > Hello,
> > Is there a limit on the number of rules support by snort in general? and
> > on per file basis? I have customized a file with 942099 rules and it took
> > about 15 minutes to start snort; but no alerts or actions wer fired.
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 942099 Snort rules read
> >     942099 detection rules
> >     0 decoder rules
> >     0 preprocessor rules
> > 942099 Option Chains linked into 1 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > +-------------------[Rule Port
> > Counts]---------------------------------------
> > |             tcp     udp    icmp      ip
> > |     src       0       0       0       0
> > |     dst  942099       0       0       0
> > |     any       0       0       0       0
> > |      nc       0       0       0       0
> > |     s+d       0       0       0       0
> >
> > +----------------------------------------------------------------------------
> > --
> > Regards,
> > Hussein Bahaidara
> >
> >
> > ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation