Snort mailing list archives
Re: Suppress versus #Rule for performance.
From: JJC <cummingsj () gmail com>
Date: Fri, 28 May 2010 08:06:47 -0600
Just as a quick addendum and an "undocumented" feature of pulledpork... the functions that enable/disable/drop sids do support basic regular expressions... so if I want all of the MS00 or MS99 stuff modified... I could do the following (basic example, mileage may vary) MS00-.+,MS99-.+ etc.... hth, JJC On Thu, May 20, 2010 at 7:40 PM, Jason Wallace <jason.r.wallace () gmail com>wrote:
Start by turning off categories you do not need. if you are not running imap, pop2, pop3, etc, comment out the category in snort.conf or skip them in OM/PP. After that I do the following... 1. turn everything else on *gasp* 2. then start using "grep -i" on the files for things I know I do not need (MS99, MS00, solaris, novel, mozilla, itunes, etc) and start sending their SID's to my disablesid.conf in PP. Over the years I've kept a running tab on stuff in the rules that I'll probably not have to deal with. This has made tuning new sensors easier. 3. Then I look for any -> any rules and turn any off I do not need 4. review big pcre rules and disable as needed 5. after that I just start working the alerts, reading the references, and disabling as needed. I do it this way because I would much rather have a little bloat in my rules then mistakenly turn something off I need. Not everyone agrees with this approach, but it works for me. Someday I hope the metadata tag moves to a point where specific applications are noted. That would make things much easier. Wally On Thu, May 20, 2010 at 5:33 PM, Ray Caparros <arcy24 () gmail com> wrote:We used IDS Policy Manager in past from Activeworx seems pretty decent. http://www.activeworx.org/Downloads/tabid/54/Default.aspx -Ray On Thu, May 20, 2010 at 5:23 PM, JJ Cummings <cummingsj () gmail com>wrote:Another approach might be to enable only what you need. Usingpulledporkyou can enable everything for MSXX-XXXX as an example. So compile alist ofall of the MSXX-XXXXs from the year's that you want and put those in enablesid for PP.. .just as a thought.... JJC On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:Hi, There are lots of rules for systems that we don’t run, and I’ve thought about disabling them to improve performance, however this is a dauntingjobas it seems I have to go into every rules file (actually oinkmaster or pulled pork conf) and disable them. How are other people doing this,or areyou just not doing it at all? Thanks, Shawn ________________________________ From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, May 20, 2010 2:04 PM To: Bill Pickens Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Suppress versus #Rule for performance. On May 20, 2010, at 4:55 PM, Bill Pickens wrote: Hello Everyone, After Snort has loaded.... Is there a difference in Snort performance between suppressing a ruleor"#" commenting the rule out? Commenting out a rule turns the rule off, which means that content does not need to be memorized, therefore -- faster. Suppressing a rule just turns off the alert, the rule is still beingran.-- Joel Esler------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suppress versus #Rule for performance. Bill Pickens (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)
- Re: Suppress versus #Rule for performance. Jefferson, Shawn (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)
- Re: Suppress versus #Rule for performance. JJ Cummings (May 20)
- Re: Suppress versus #Rule for performance. Ray Caparros (May 20)
- Re: Suppress versus #Rule for performance. Jason Wallace (May 20)
- Re: Suppress versus #Rule for performance. JJC (May 28)
- Re: Suppress versus #Rule for performance. Joel Esler (May 28)
- Re: Suppress versus #Rule for performance. Jefferson, Shawn (May 20)
- Re: Suppress versus #Rule for performance. Joel Esler (May 20)