Snort mailing list archives
Re: Snort rules maximum rules per file
From: Martin Holste <mcholste () gmail com>
Date: Fri, 1 Jul 2011 13:56:48 -0500
You are using the wrong tool for URL blocking. You should be using squid for this with policy-based routing to transparently redirect all requests through squid as a transparent proxy. On Fri, Jul 1, 2011 at 1:12 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:
Hello, no warning was displayed. All rules are simple and of the following format: alert tcp any any -> any 80 ( content:"URL"; react:; sid:1; ) The content is changed on every rule which is basically a URL and the SID is incremented from 1 to 942099 My system has 4GB memory. Before using snort 600MB is used and after snort full memory is utilized. That is on 2.9.0.5. Now, I have switched to Version 2.9.1_beta as the "react" option was not firing on multiple rules. I am testing snort with IXIA; but the result are not good as it seems that I am not configuring Snort in the right way. I need to achieve blocking for a big number of URL's with snort. Do you have any recommendations in this regards to tweak and optimize snort performance. Thanks, On Jun 29, 2011, at 7:52 PM, Russ Combs wrote: We have kicked this around internally, and don't have a simple configuration suggestion to try so a few questions ... Did you see any warnings in the startup output when you loaded 942099 rules? What kind of rules are these? Are they all very simple rules or rules with lots of options? How much memory does your system have? How much is used before and after starting Snort with all those rules? Thanks Russ On Sun, Jun 26, 2011 at 1:04 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:Hello, I have found after extensive testing that only 131008 rules only fires alert and action. Any rule after that will not take any action. On Jun 25, 2011, at 8:39 PM, Hussein Bahaidarah wrote: Hello, Is there a limit on the number of rules support by snort in general? and on per file basis? I have customized a file with 942099 rules and it took about 15 minutes to start snort; but no alerts or actions wer fired. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 942099 Snort rules read 942099 detection rules 0 decoder rules 0 preprocessor rules 942099 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 942099 0 0 0 | any 0 0 0 0 | nc 0 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- -- Regards, Hussein Bahaidara ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 01)
- Re: Snort rules maximum rules per file Martin Holste (Jul 01)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 02)
- Re: Snort rules maximum rules per file Russ Combs (Jul 15)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 15)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 02)
- Re: Snort rules maximum rules per file Martin Holste (Jul 01)
- Re: Snort rules maximum rules per file Jason Wallace (Jul 01)