Snort mailing list archives
Re: Snort rules maximum rules per file
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 15 Jul 2011 14:05:01 -0400
Hussein, thanks for reporting the problem. I was able to recreate it using locally generated rules and have opened a bug. Don't have any additional suggestions at this point but will keep you posted. Russ On Sat, Jul 2, 2011 at 4:02 AM, Hussein Bahaidarah <husseinb () gmail com>wrote:
Hello Martin, I know that snort is not designed to do that; but I have to use it for many reasons as my experiment dictates using IDS/IPS. I can not use Squid it is a proxy engined and does not serve my purpose. Thanks On Jul 1, 2011, at 9:56 PM, Martin Holste wrote: You are using the wrong tool for URL blocking. You should be using squid for this with policy-based routing to transparently redirect all requests through squid as a transparent proxy. On Fri, Jul 1, 2011 at 1:12 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:Hello, no warning was displayed. All rules are simple and of the following format: alert tcp any any -> any 80 ( content:"URL"; react:; sid:1; ) The content is changed on every rule which is basically a URL and the SIDisincremented from 1 to 942099 My system has 4GB memory. Before using snort 600MB is used and aftersnortfull memory is utilized. That is on 2.9.0.5. Now, I have switched toVersion2.9.1_beta as the "react" option was not firing on multiple rules. I am testing snort with IXIA; but the result are not good as it seemsthat Iam not configuring Snort in the right way. I need to achieve blocking forabig number of URL's with snort. Do you have any recommendations in this regards to tweak and optimize snort performance. Thanks, On Jun 29, 2011, at 7:52 PM, Russ Combs wrote: We have kicked this around internally, and don't have a simpleconfigurationsuggestion to try so a few questions ... Did you see any warnings in the startup output when you loaded 942099rules?What kind of rules are these? Are they all very simple rules or ruleswithlots of options? How much memory does your system have? How much is used before and after starting Snort with all those rules? Thanks Russ On Sun, Jun 26, 2011 at 1:04 PM, Hussein Bahaidarah <husseinb () gmail com> wrote:Hello, I have found after extensive testing that only 131008 rules only fires alert and action. Any rule after that will not take any action. On Jun 25, 2011, at 8:39 PM, Hussein Bahaidarah wrote: Hello, Is there a limit on the number of rules support by snort in general? and on per file basis? I have customized a file with 942099 rules and ittookabout 15 minutes to start snort; but no alerts or actions wer fired. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 942099 Snort rules read 942099 detection rules 0 decoder rules 0 preprocessor rules 942099 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 942099 0 0 0 | any 0 0 0 0 | nc 0 0 0 0 | s+d 0 0 0 0+------------------------------------------------------------------------------ Regards, Hussein Bahaidara------------------------------------------------------------------------------All of the data generated in your IT infrastructure is seriouslyvaluable.Why? It contains a definitive record of application performance,securitythreats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation------------------------------------------------------------------------------All of the data generated in your IT infrastructure is seriouslyvaluable.Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 01)
- Re: Snort rules maximum rules per file Martin Holste (Jul 01)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 02)
- Re: Snort rules maximum rules per file Russ Combs (Jul 15)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 15)
- Re: Snort rules maximum rules per file Hussein Bahaidarah (Jul 02)
- Re: Snort rules maximum rules per file Martin Holste (Jul 01)
- Re: Snort rules maximum rules per file Jason Wallace (Jul 01)