[Snort-devel] Benchmark pass rules vs rule mods?

Mcclure Gammon gammon.mcclure at ...1145...
Fri Sep 5 05:09:10 EDT 2003

Thanks Erek,
Understand and I do use BPF's.  But that begs the question.  Let's assume I've got multiple class C's on my DMZs with a whole lot of "interestingly coded" apps running out there.  I find one box triggers multiple IIS rules (during normal processing), another trips other rules, etc.  By the time I'm done with my BPF, it's longer than the rule sets ;-)  So, back to my original question?

-----Original Message-----
From: Erek Adams [mailto:erek at ...835...]
Sent: Friday, September 05, 2003 1:14 AM
To: Mcclure Gammon
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Benchmark pass rules vs rule mods?

On Thu, 4 Sep 2003, Mcclure Gammon wrote:

> Foolish question - has anyone benchmarked the performance delta between
> adding a bunch of pass rules vs. modifying rules themselves?  I.e.,
> "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any ->
> !xxx.yyy.zzz.1/32 etc."  Ignore the folly of having to remod after rule
> updates; which carries the greatest performance hit?

Not foolish, not in the least.

If you really want to make it less overhead use a BPF filter.

	snort <options> 'not src <foo> and port <foo2>'

It drops the packets before Snort ever sees them.  Less packets==less work
for Snort.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-devel mailing list