[Snort-devel] New feature wanted: Rule matching stats

Roy S. Rapoport snort-users at ...2006...
Thu Jun 26 04:46:08 EDT 2003


On Thu, Jun 26, 2003 at 12:13:18PM +0200, Martin Olsson wrote:
> ...then one could easily see what rules constantly match zero packets and
> what rules match _lots_ of times. The nonimportant rules could probably be
> removed and maybe the highly matched rules could be placed earlier in the
> rules list.
[...]
> Anyone else think this is a nice idea?

I think you may have it backwards.

I, for one, don't want to remove the rules that don't seem to be getting
attacks against them -- it's those attacks I want to know about, because
they're the ones that I'm not necessarily prepared for.  I want to remove
the rules that match a whole bunch of packets -- it's those 77 attempts to
give my UNIX box the SQL Worm that I really could care less about, or those
14 attempts to compromise my WEBDAV environment.

But I agree it'd be nice to get rule matching.  Though honestly, I can just
look at ACID to get that sort of information.  Actually, heck -- 
SELECT signature.sig_sid,COUNT(signature.sig_sid) FROM event,signature 
WHERE event.signature=signature.sig_id GROUP BY signature.sig_sid;

Works just fine!

-roy




More information about the Snort-devel mailing list