Snort mailing list archives
Re: rule timing and benchmarking
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 23 Aug 2013 13:40:52 -0400
On 8/23/2013 10:24, Mike Miller wrote:
Is there a significant performance impact by listing an excessively large number of IP addresses in a rule?
yes... there is a performance impact... the best way, it seems, is to script a rule generator that lists X IPs per rule... this seems to be the most common method used... emerging threats (for example) does this with numerous of their IP based rules files... they have two entries for each set so as to split tcp and udp which helps to lessen the performance impact... however, you may be able to use the new reputation functionality... you simply list the IPs or IP/CIDR, one per line, in the reputation preprocessor's IP list file... supposedly this is much faster than the textual based static rules format mentioned above... this blocks all listed entries or allows them if they are listed in the whitelist... there is a bit more to it that this but this is the gist... if/when you look into this, do not be confused by the (poor) naming of black_list.rules and blacklist.rules... they are quite separate and distinct... blacklist.rules is distributed by VRT and is textual rules looking at DNS lookups for known bad or infestation delivering domains... they are not IP oriented... black_list.rules, on the other hand, is the IP and/or IP/CIDR based format i mention above... this one uses the reputation preprocessor which is where you might want to look in this endeavor... NOTE: for clarity, i have proposed that the black_list.rules and white_list.rules files be renamed in the sample config as well as the empty distributed ones... this to alleviate the confusion of similarity of names with the blacklist.rules file... in the installs that i manage, we have selected to prefix the preprocessor's rules files with RPP_ such that they are known as RPP_black_list.rules and RPP_white_list.rules... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- rule timing and benchmarking Mike Miller (Aug 23)
- Re: rule timing and benchmarking waldo kitty (Aug 23)