rule timing and benchmarking

[Mike Miller <mike () millertwinracing com>]

I've come onboard to a company that has an extremely specific set of snort
rules, based on an event in their recent past.

There are a number of directions we can go in to optimize the sensors, but
I have a few questions to see if that's necessary.

The rulesets define a LARGE number of IP addresses of interest, based on an
event.

We have some IP lists that define roles based on target value and badguy
destination. So, a typical rule will be

alert tcp [$ASSET_LIST, !$FILESERVERS, !$NETWORK_STUFF, !$WEBSERVERS] any
<> [$KNOWN_BADGUYS, $SUSPECTED_BADGUYS, !$WHITELISTED_IPS] any (msg " .....

The problem being, there could be several hundred source and destination IP
addresses in that rule, and there's quite a few rules.

Is there a significant performance impact by listing an excessively large
number of IP addresses in a rule?


The server in question is an Alienvault sensor, near as I can tell, I can't
use PF_RING to pile up additional threads (still researching), but we may
end up throwing additional hardware or replace with a bigger box. Currently
it can handle _just_ these specific rules, so much of the other snort
rulesets are disabled.

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!