[Snort-devel] Optimized?

Marc Norton marc.norton at ...402...
Fri Dec 19 06:18:01 EST 2003


Snort handles this pretty well.  Remember, most traffic is eliminated by
the high speed content checking and never makes it to that test. 

Marc Norton - Senior Software Engineer -
marc.norton at ...402...
 

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net [mailto:snort-devel-
> admin at lists.sourceforge.net] On Behalf Of Martin Olsson
> Sent: Friday, December 19, 2003 8:27 AM
> To: snort-devel mailinglist
> Subject: [Snort-devel] Optimized?
> 
> 
> Does snort optimize the "any" options to reduce CPU usage?
> 
> Given this two rules:
> 
> alert tcp any any -> any 80 (msg:"foo"; content: "foo"; .....)
> alert tcp 1.1.1.1 any -> 2.2.2.2 80 (msg:"foo"; content: "foo"; .....)
> 
> Is snort smart and only use CPU recources to match the dst-port and
> content of rule #1, while it matches src, dst and dst-port for rule
#2?
> 
> Or is snort "dumb" and always perform the matching mechanism on
> *everything*, even if the field is set to any?
> 
> 
> This question was rised when deciding what to set EXTERNAL_NET to.
> Will EXTERNAL_NET=!$HOME_NET use more CPU than EXTERNAL_NET=any, given
> that HOME_NET=192.168.0.0/16?
> 
> /Martin
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-devel mailing list