Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rule timing and benchmarking

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 23 Aug 2013 13:40:52 -0400
On 8/23/2013 10:24, Mike Miller wrote:

Is there a significant performance impact by listing an excessively large number
of IP addresses in a rule?


yes... there is a performance impact... the best way, it seems, is to script a 
rule generator that lists X IPs per rule... this seems to be the most common 
method used... emerging threats (for example) does this with numerous of their 
IP based rules files... they have two entries for each set so as to split tcp 
and udp which helps to lessen the performance impact...

however, you may be able to use the new reputation functionality... you simply 
list the IPs or IP/CIDR, one per line, in the reputation preprocessor's IP list 
file... supposedly this is much faster than the textual based static rules 
format mentioned above... this blocks all listed entries or allows them if they 
are listed in the whitelist... there is a bit more to it that this but this is 
the gist...

if/when you look into this, do not be confused by the (poor) naming of 
black_list.rules and blacklist.rules... they are quite separate and distinct... 
blacklist.rules is distributed by VRT and is textual rules looking at DNS 
lookups for known bad or infestation delivering domains... they are not IP 
oriented... black_list.rules, on the other hand, is the IP and/or IP/CIDR based 
format i mention above... this one uses the reputation preprocessor which is 
where you might want to look in this endeavor...

NOTE: for clarity, i have proposed that the black_list.rules and 
white_list.rules files be renamed in the sample config as well as the empty 
distributed ones... this to alleviate the confusion of similarity of names with 
the blacklist.rules file... in the installs that i manage, we have selected to 
prefix the preprocessor's rules files with RPP_ such that they are known as 
RPP_black_list.rules and RPP_white_list.rules...



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: