[Snort-devel] New feature wanted: Rule matching stats

Martin Olsson elof at ...969...
Mon Jul 7 05:22:05 EDT 2003


On 3 Jul 2003, Gianni Tedesco wrote:
> On Thu, 2003-06-26 at 11:43, Roy S. Rapoport wrote:
> > I think you may have it backwards.
> > I, for one, don't want to remove the rules that don't seem to be getting
> > attacks against them -- it's those attacks I want to know about, because
> > they're the ones that I'm not necessarily prepared for.  I want to remove
> > the rules that match a whole bunch of packets -- it's those 77 attempts to
> > give my UNIX box the SQL Worm that I really could care less about, or those
> > 14 attempts to compromise my WEBDAV environment.
> I think Martin meant more like optimising the data structure to reduce
> average search time. Kind of like the self-optimizing splay trees used
> in stream4 and ip defragmentation, or like move-to-front heuristic in
> linked lists.

Exactly.

> This is a cool idea and one I have ruminated on for a while. I think the
> best solution would be dynamically updated.

I don't know if that is possible, that's why I only asked for the feature
to dump statistics, and then manually optimize the rules.

Isn't the _order_ of rules loaded important? If I have a rule matching
"C:\WINNT\SYSTEM32" and another one matching only "C:\", I don't want the
latter to be moved in front of the first by an optimizing routine... :)

/Martin





More information about the Snort-devel mailing list