Snort mailing list archives
rule timing and benchmarking
From: Mike Miller <mike () millertwinracing com>
Date: Fri, 23 Aug 2013 08:24:12 -0600
I've come onboard to a company that has an extremely specific set of snort rules, based on an event in their recent past. There are a number of directions we can go in to optimize the sensors, but I have a few questions to see if that's necessary. The rulesets define a LARGE number of IP addresses of interest, based on an event. We have some IP lists that define roles based on target value and badguy destination. So, a typical rule will be alert tcp [$ASSET_LIST, !$FILESERVERS, !$NETWORK_STUFF, !$WEBSERVERS] any <> [$KNOWN_BADGUYS, $SUSPECTED_BADGUYS, !$WHITELISTED_IPS] any (msg " ..... The problem being, there could be several hundred source and destination IP addresses in that rule, and there's quite a few rules. Is there a significant performance impact by listing an excessively large number of IP addresses in a rule? The server in question is an Alienvault sensor, near as I can tell, I can't use PF_RING to pile up additional threads (still researching), but we may end up throwing additional hardware or replace with a bigger box. Currently it can handle _just_ these specific rules, so much of the other snort rulesets are disabled.
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- rule timing and benchmarking Mike Miller (Aug 23)
- Re: rule timing and benchmarking waldo kitty (Aug 23)