RE: Rules vs performance

["Robinson, Ken" <ken.robinson () ccra-adrc gc ca>]

I want to handle full duplex, 100Mbit.    We're using Ether Taps, so each
direction is actually a different NIC.  



-----Original Message-----
From: Jean-Francois Zwobada [mailto:zwobada () fluxus net]
Sent: May 11, 2001 2:55 AM
To: Kevin Brown; 'Robinson, Ken'; Snort List (E-mail)
Subject: RE: [Snort-users] Rules vs performance



Hi guys

What's the average and peak bandwidth you're trying to analyse ?

Regards

JF

At 12:53 10/05/01 -0700, Kevin Brown wrote:

> I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s 
> link the snort was clocking 40% of the cpu with absolutely no rules or 
> plugins.  I don't remember the specifics, but I was removing rules from 
> the list till snort dropped to 80% or less and of the ruleset of 400 rules 
> I had to drop all but 50 I believe to get it down.  I'm currently using a 
> Sparc 500 and it is clocking 50% of the CPU (same link) with the full 
> ruleset in place (snort1.8b5 build 20).  I downloaded top and compiled it 
> and just watch the processes and notice that with just the database and 
> spp plugins snort is slowing eating up my 1GB of memory.  I don't know if 
> that is a memory leak or just a lot of memory caching going on within
snort.
> -----Original Message-----
> From: Robinson, Ken 
> [<mailto:ken.robinson () ccra-adrc gc ca>mailto:ken.robinson () ccra-adrc gc ca]
> Sent: Thursday, May 10, 2001 12:42
> To: Snort List (E-mail)
> Subject: [Snort-users] Rules vs performance
>
> Hello,
>
> Are there any rule-of-thumb, or such on how the number of Snort rules
> affects the performance?
>
> In doing some lab tests, we found that has the amount of traffic went up,
we
> detected fewer and fewer test attacks.     CPU usage was high, but not
> peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
> NICs and 256Meg RAM.
>
> I don't know of the misses were due to an issue with the hardware (NIC
> missing packets?), or if there were too many rules to sort through for the
> Snort software, or too much logging?
>
> We've looked through the snort rules from Whitehats and found many cases
> were we could reduce the rules by either dropping them (i.e. don't care),
> reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
> instead of detecting which OS),  or making groups of them as activate rules
> (i.e. the DeepThroat backdoor rules).    We could also use the Activate
> rules to log the next 50 packets and then run a full set or rules on those
> logged packets.
>
> So, any advise for us?   Should we use Activate rules as much as possible?
> Should we generalize rules?   Or is all of this not going to make much of a
> difference?
>
> Thanks.
>
> ----
> Ken Robinson
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> <http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourc
eforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> <http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocra
wler.com/redir-sf.php3?list=snort-users 
>

Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14
30, rue du Chateau des Rentiers - 75013 PARIS

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users