[Snort-devel] Benchmark pass rules vs rule mods?
gammon.mcclure at ...1145...
Fri Sep 5 05:09:10 EDT 2003
Understand and I do use BPF's. But that begs the question. Let's assume I've got multiple class C's on my DMZs with a whole lot of "interestingly coded" apps running out there. I find one box triggers multiple IIS rules (during normal processing), another trips other rules, etc. By the time I'm done with my BPF, it's longer than the rule sets ;-) So, back to my original question?
From: Erek Adams [mailto:erek at ...835...]
Sent: Friday, September 05, 2003 1:14 AM
To: Mcclure Gammon
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Benchmark pass rules vs rule mods?
On Thu, 4 Sep 2003, Mcclure Gammon wrote:
> Foolish question - has anyone benchmarked the performance delta between
> adding a bunch of pass rules vs. modifying rules themselves? I.e.,
> "pass tcp any any -> xxx.yyy.zzz.1 etc." vs. "alert tcp any any ->
> !xxx.yyy.zzz.1/32 etc." Ignore the folly of having to remod after rule
> updates; which carries the greatest performance hit?
Not foolish, not in the least.
If you really want to make it less overhead use a BPF filter.
snort <options> 'not src <foo> and port <foo2>'
It drops the packets before Snort ever sees them. Less packets==less work
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-devel