Snort mailing list archives
Re: Certin ET rulesets and 100 percent usage.
From: Matt Jonkman <jonkman () jonkmans com>
Date: Fri, 08 May 2009 09:19:37 -0400
Religious argument so I won't beat it too much. But many places haven't the easy ability to add massive numbers of rules to firewalls. Can you imagine sticking all of the RBN and compromised hosts into a checkpoint firewall via the gui every 24 hours? Or a sonicwall? There's a nice little hell. And then reconciling the ones that have dropped out of being labeled hostile and removing those.... etc And then you have the folks that just have a router on the perimeter, and depending on the model you may not have the ram to have a shun route for every IP, you have to go with just those that you've seen and remove them after the timeout (snortsam functionality) So ya, in an ideal world firewalls are best for blocking and massive IP matching. But in reality it's difficult to use this threat data in that way. Matt Randal T. Rioux wrote:
Forgive me if I'm wrong, but isn't using Snort to implement an IP blocklist sub-optimal? Isn't this a better task for your firewall? I just think an IDS should stick to what it does best. Randy On Thu, May 7, 2009 6:38 pm, Martin Roesch wrote:Yeah, you're hitting the rule chains iteratively and that's just not going to perform. If you want to filter large sets of IP addresses that would be more properly implemented as a preprocessor with dedicated functionality. Marty On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman () jonkmans com> wrote:Straight IP matching is something Snort doesn't do well. Unfortunately. So this isn't that unexpected. I'd only run those rulesets where you can afford the cycles. or run a second snort for these alone and turn off everything in it's config to streamline some. Matt jlay () slave-tothe-box net wrote:So here's something interesting. Enabling ANY of the below rulesets results in snort using 100% CPU: emerging-botcc.rules emerging-compromised.rules emerging-drop.rules emerging-dshield.rules emerging-rbn.rules emerging-tor.rules Without snort uses around 49%. Using 2.8.4.1 with about 700K average traffic. Any thoughts? Thanks. James --------------------------------------------------------------------- --------- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ----------------------------------------------------------------------- ------- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------- ----- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Certin ET rulesets and 100 percent usage. jlay (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Randal T. Rioux (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 08)
- Re: Certin ET rulesets and 100 percent usage. Martin Roesch (May 07)
- Re: Certin ET rulesets and 100 percent usage. Matt Jonkman (May 07)