[Snort-devel] New feature wanted: Rule matching stats
Roy S. Rapoport
snort-users at ...2006...
Thu Jun 26 04:46:08 EDT 2003
On Thu, Jun 26, 2003 at 12:13:18PM +0200, Martin Olsson wrote:
> ...then one could easily see what rules constantly match zero packets and
> what rules match _lots_ of times. The nonimportant rules could probably be
> removed and maybe the highly matched rules could be placed earlier in the
> rules list.
> Anyone else think this is a nice idea?
I think you may have it backwards.
I, for one, don't want to remove the rules that don't seem to be getting
attacks against them -- it's those attacks I want to know about, because
they're the ones that I'm not necessarily prepared for. I want to remove
the rules that match a whole bunch of packets -- it's those 77 attempts to
give my UNIX box the SQL Worm that I really could care less about, or those
14 attempts to compromise my WEBDAV environment.
But I agree it'd be nice to get rule matching. Though honestly, I can just
look at ACID to get that sort of information. Actually, heck --
SELECT signature.sig_sid,COUNT(signature.sig_sid) FROM event,signature
WHERE event.signature=signature.sig_id GROUP BY signature.sig_sid;
Works just fine!
More information about the Snort-devel