[Snort-devel] New feature wanted: Rule matching stats

Gianni Tedesco gianni at ...1804...
Thu Jul 3 07:23:02 EDT 2003


On Thu, 2003-06-26 at 11:43, Roy S. Rapoport wrote:
> I think you may have it backwards.
> 
> I, for one, don't want to remove the rules that don't seem to be getting
> attacks against them -- it's those attacks I want to know about, because
> they're the ones that I'm not necessarily prepared for.  I want to remove
> the rules that match a whole bunch of packets -- it's those 77 attempts to
> give my UNIX box the SQL Worm that I really could care less about, or those
> 14 attempts to compromise my WEBDAV environment.

I think Martin meant more like optimising the data structure to reduce
average search time. Kind of like the self-optimizing splay trees used
in stream4 and ip defragmentation, or like move-to-front heuristic in
linked lists.

This is a cool idea and one I have ruminated on for a while. I think the
best solution would be dynamically updated.

I'm not that familiar with the snort internals, but from how I
understand it, it would probably be quite simple to keep
counters/histogram for each RTNs/OTNsand just run an optimizer function
after every 100,000 packets or something to decrease the per-packet
overhead.

Sounds like a fun research project for someone anyway :)

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030703/d1046185/attachment.sig>


More information about the Snort-devel mailing list