Re: Suppress versus #Rule for performance.

[JJC <cummingsj () gmail com>]

Just as a quick addendum and an "undocumented" feature of pulledpork... the
functions that enable/disable/drop sids do support basic regular
expressions... so if I want all of the MS00 or MS99 stuff modified... I
could do the following (basic example, mileage may vary)

MS00-.+,MS99-.+ etc....

hth,
JJC

On Thu, May 20, 2010 at 7:40 PM, Jason Wallace <jason.r.wallace () gmail com>wrote:

> Start by turning off categories you do not need. if you are not
> running imap, pop2, pop3, etc, comment out the category in snort.conf
> or skip them in OM/PP.
>
> After that I do the following...
> 1. turn everything else on *gasp*
>
> 2. then start using "grep -i" on the files for things I know I do not
> need (MS99, MS00, solaris, novel, mozilla, itunes, etc) and start
> sending their SID's to my disablesid.conf in PP. Over the years I've
> kept a running tab on stuff in the rules that I'll probably not have
> to deal with. This has made tuning new sensors easier.
>
> 3. Then I look for any -> any rules and turn any off I do not need
>
> 4. review big pcre rules and disable as needed
>
> 5. after that I just start working the alerts, reading the references,
> and disabling as needed.
>
> I do it this way because I would much rather have a little bloat in my
> rules then mistakenly turn something off I need. Not everyone agrees
> with this approach, but it works for me.
>
> Someday I hope the metadata tag moves to a point where specific
> applications are noted. That would make things much easier.
>
> Wally
>
>
> On Thu, May 20, 2010 at 5:33 PM, Ray Caparros <arcy24 () gmail com> wrote:
> > We used IDS Policy Manager in past from Activeworx seems pretty decent.
> >
> > http://www.activeworx.org/Downloads/tabid/54/Default.aspx
> >
> > -Ray
> >
> >
> > On Thu, May 20, 2010 at 5:23 PM, JJ Cummings <cummingsj () gmail com>
> wrote:
> > > Another approach might be to enable only what you need.  Using
> pulledpork
> > > you can enable everything for MSXX-XXXX as an example.  So compile a
> list of
> > > all of the MSXX-XXXXs from the year's that you want and put those in
> > > enablesid for PP.. .just as a thought....
> > > JJC
> > >
> > > On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn
> > > <Shawn.Jefferson () bcferries com> wrote:
> > > > Hi,
> > > >
> > > >
> > > >
> > > > There are lots of rules for systems that we don’t run, and I’ve thought
> > > > about disabling them to improve performance, however this is a daunting
> job
> > > > as it seems I have to go into every rules file (actually oinkmaster or
> > > > pulled pork conf) and disable them.  How are other people doing this,
> or are
> > > > you just not doing it at all?
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > Shawn
> > > >
> > > >
> > > >
> > > > ________________________________
> > > >
> > > > From: Joel Esler [mailto:jesler () sourcefire com]
> > > > Sent: Thursday, May 20, 2010 2:04 PM
> > > > To: Bill Pickens
> > > > Cc: Snort-users () lists sourceforge net
> > > > Subject: Re: [Snort-users] Suppress versus #Rule for performance.
> > > >
> > > >
> > > >
> > > > On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
> > > >
> > > > Hello Everyone,
> > > >
> > > > After Snort has loaded....
> > > >
> > > >
> > > >
> > > > Is there a difference in Snort performance between suppressing a rule
> or
> > > > "#" commenting the rule out?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Commenting out a rule turns the rule off, which means that content does
> > > > not need to be memorized, therefore -- faster.
> > > >
> > > >
> > > >
> > > > Suppressing a rule just turns off the alert, the rule is still being
> ran.
> > > > --
> > > >
> > > > Joel Esler
> ------------------------------------------------------------------------------
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users