Snort mailing list archives
Snort Performance
From: jsp1999 () gmx de
Date: Tue, 10 Sep 2002 12:49:48 +0200 (MEST)
Hi all! Snort is a great tool that offers convenient ways to customize the network traffic that should be monitored. Unfortunately we found out that there is a big problem if nearly all the available rules are used during operation. Snort does not look at all the packets, it often simply skips packets. On a highly loaded network this gets worse - more and more packets are simply not analyzed. Isn't this very dangerous, because many exploits require only a few packets to perform an exploit and to compromise machines? When we had an in depth look at the source code of snort, we saw that there are the RTN and OTN structures for storing the individual rules which have to be iterated through every time a new packet is matched. We consider this not to be optimal, because of the many ANY parts in the source and destination IPs. Has anybody thought about optimizing this basic data structure? Will this be improved in Snort 2.0 (we found some PPT presentations on the web)? Are there any chances for improving the ratio of investigated packets / actual packets on the network? J. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Performance jsp1999 (Sep 10)
- Re: Snort Performance Erek Adams (Sep 10)
- Message not available
- Re: Snort Performance Matt Kettler (Sep 10)
- Re: Snort Performance Erek Adams (Sep 10)
- Re: Snort Performance Matt Kettler (Sep 10)