Snort mailing list archives
Snort 2.9.6.0 and number of rules
From: Y M <snort () outlook com>
Date: Sun, 2 Mar 2014 16:39:42 +0000
We have a development/testing Snort box (VM) running Snort 2.9.6.0 that we mainly use for testing custom rules. We are
experiencing an odd behavior depending on the number of rules enabled. For instance, we have a set of 4 pcaps that we
are currently working on with the following sizes:
pcap1.pcap --> 6.2 MB
pcap2.pcap --> 2.4 MB
pcap3.pcap --> 17.9 MB
pcap4.pcap --> 2.2 MB
If the rules are setup to run the Security policy, then we get the associated alerts that we are expecting to be
generated (over 1700 alerts) including both VRT and our custom alerts. The pcaps are being read through --pcap-dir and
--pcap-show. However, if all of the rules are enabled and we run the same command we only get 2 alerts (1 VRT and 1
custom).
The same behavior also happens when run snort against the pcaps individually using the -r command. I tested the same
pcaps using the above scenario against a VM running Snort 2.9.5.6 and we always get the expected behavior as above
(over 1700 alerts).
One thing I noticed is that when using the Security policy, is that when Snort completes reading the pcap, the exit
statistics are displayed. However, when having all of the rules enables, exit statistics do not display at all.
Both VMs running Snort 2.9.5.6 and 2.9.6.0 has the same configurations and the same number of rules with exception that
Snort 2.9.6.0 was configured with the file_inspect preprocessor, though it is disabled. I recompiled Snort with only
--enable-sourcefire and --enable-reload, but the same odd behavior remained. The VM running Snort 2.9.6.0 has a 12 core
cpu and 8 GB of RAM.
Has anyone experienced the same behavior or tested Snort with all the rules enabled against some pcaps? I must be doing
something stupid here or there.
Thanks.
YM
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.6.0 and number of rules Y M (Mar 02)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 26)
- Re: Snort 2.9.6.0 and number of rules Russ Combs (rucombs) (Mar 06)
- Re: Snort 2.9.6.0 and number of rules Y M (Mar 06)