[Snort-devel] New feature wanted: Rule matching stats

Gianni Tedesco gianni at ...1804...
Mon Jul 7 05:39:09 EDT 2003

On Mon, 2003-07-07 at 13:21, Martin Olsson wrote:
> > This is a cool idea and one I have ruminated on for a while. I think the
> > best solution would be dynamically updated.
> I don't know if that is possible, that's why I only asked for the feature
> to dump statistics, and then manually optimize the rules.
> Isn't the _order_ of rules loaded important? If I have a rule matching
> "C:\WINNT\SYSTEM32" and another one matching only "C:\", I don't want the
> latter to be moved in front of the first by an optimizing routine... :)

Not sure, I think snort2.0 does some more complex stuff whereby it scans
all rules for which a pattern matched; that would kind of demolish the
"move the most matched rules to the front of the list thing" if they are
all going to be matched anyway...

I think our real case for optimisation is probably by moving the OTNs
most likely to cause a mis-match to the head of the list, eg if you

 ttl<100; seq: 666;

then seq is prolly gonna mismatch more than the ttl, making it wise to
put seq to the head of the list, so you can skip that rule quicker.
Obviously by recording hit/miss count, you can know which is really most
likely. Most of the rules seem optimised for this kind of thing anyway,
so it's probably not much of a win...

// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030707/c4b2f27f/attachment.sig>

More information about the Snort-devel mailing list