Snort mailing list archives
RE: Rules vs performance
From: Jean-Francois Zwobada <zwobada () fluxus net>
Date: Fri, 11 May 2001 08:54:39 +0200
Hi guys What's the average and peak bandwidth you're trying to analyse ? Regards JF At 12:53 10/05/01 -0700, Kevin Brown wrote:
I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with absolutely no rules or plugins. I don't remember the specifics, but I was removing rules from the list till snort dropped to 80% or less and of the ruleset of 400 rules I had to drop all but 50 I believe to get it down. I'm currently using a Sparc 500 and it is clocking 50% of the CPU (same link) with the full ruleset in place (snort1.8b5 build 20). I downloaded top and compiled it and just watch the processes and notice that with just the database and spp plugins snort is slowing eating up my 1GB of memory. I don't know if that is a memory leak or just a lot of memory caching going on within snort.-----Original Message-----From: Robinson, Ken [<mailto:ken.robinson () ccra-adrc gc ca>mailto:ken.robinson () ccra-adrc gc ca]Sent: Thursday, May 10, 2001 12:42 To: Snort List (E-mail) Subject: [Snort-users] Rules vs performance Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up, we detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:<http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:<http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocrawler.com/redir-sf.php3?list=snort-users
Jean-Francois Zwobada Cellule Securite - Fluxus Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14 30, rue du Chateau des Rentiers - 75013 PARIS _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules vs performance Robinson, Ken (May 10)
- <Possible follow-ups>
- RE: Rules vs performance Kevin Brown (May 10)
- RE: Rules vs performance Jean-Francois Zwobada (May 11)
- RE: Rules vs performance Robinson, Ken (May 11)