Snort mailing list archives
Re: Performance and rule tuning
From: Matt Jonkman <jonkman () jonkmans com>
Date: Wed, 03 Dec 2008 15:30:35 -0500
You have to be careful with any ruleset how much of it and which rules you run, but moreso with the emerging threats rules. It's always a balance of throughput vs tolerance of risk. I'd not just kill all the ET rules, but look through and pick whats important. The policy rules, much of the web client stuff, and the web_sql_injection sets are going to be very high load. Use them only if you have the capacity and need. I'd personally not pass on the virus and malware sets, and the scan rulesets. Very important sets and much lower load. They're worth balancing into your sensors if possible. Matt Jefferson, Shawn wrote:
I've been running the mmaped pcap module with snort on both my sensors for the last two days, and noticed quite an improvement, however I was still getting dropped packets. I commented out all the Emerging Threats rules and this eliminated any dropped packets with over 100 MB/s of sustained traffic (at least that is what snort stats is showing me.) Also, I noticed CPU usage went down considerably as well. I guess I don't have enough horse power to run these rules. Speaking of the stats though... I noticed that with each increase in the performance of my snort sensor, I'm recording more MBit/second. Now it's up to around 150 Mb/s. Is this number an accurate measure of what's on the wire, or does it depend somewhat on the performance of your sensor? One more question about rule tuning: I am getting some false positives from the ftp pre-processor. How do I suppress these without disabling the pre-processor altogether? Thanks! Shawn -----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: December 02, 2008 11:40 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Performance and rule tuning Thanks for your help everyone, I think I have this working. The log was daemon.log not messages, and it wasn't using PCAP_FRAMES. I did the following: Apt-get remove libpcap0.8 Rebuilt snort Used "export PCAP_FRAMES=32768" (I was confused as to use export or not... export seems to be required.) Now it says "Using PCAP_FRAMES=32768" in daemon.log. Now I'll do this on my main snort sensor and see if there is any performance improvement. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance and rule tuning Jefferson, Shawn (Dec 02)
- Re: Performance and rule tuning (linux) Phil Wood (Dec 02)
- <Possible follow-ups>
- Re: Performance and rule tuning Nathaniel Richmond (Dec 02)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 02)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 03)
- Re: Performance and rule tuning Matt Jonkman (Dec 03)
- Re: Performance and rule tuning Joel Esler (Dec 03)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 04)
- Re: Performance and rule tuning Joel Esler (Dec 04)
- Re: Performance and rule tuning Todd Wease (Dec 04)
- Re: Performance and rule tuning Jefferson, Shawn (Dec 02)