[Snort-devel] Benchmark pass rules vs rule mods?

Erek Adams erek at ...835...
Fri Sep 5 11:13:05 EDT 2003

On Fri, 5 Sep 2003, Mcclure Gammon wrote:

> Thanks Erek, Understand and I do use BPF's.  But that begs the question.
> Let's assume I've got multiple class C's on my DMZs with a whole lot of
> "interestingly coded" apps running out there.  I find one box triggers
> multiple IIS rules (during normal processing), another trips other
> rules, etc.  By the time I'm done with my BPF, it's longer than the rule
> sets ;-)

True...  That's where the -F flag comes in handy.  :)  If you need, you
can write a lot of BPF filters and stick them in a file.  Then load the
file from the command line using -F <file>.  That's useful if you need
some really wierd filters that don't lend themselves well to adding on the
command line.

> So, back to my original question?

Well...  It really all depends.  Consider this:

  var HOME_NET [,]


  var HOME_NET []

Now, since they are equal it would seem like they take the same amount of
time/parsing.  Not true.  The first example takes longer to parse on a
rule.  You've got two separate nets to check, so Snort checks one net and
then the other.  In the second, you've only got one net.  Sorta like "Is A
a member of B or C?" vs "Is A a member of B?"

Another factor to consider:  Each 'check' you add on a rule the more
parsing/inspection that Snort has to do.  For example:

	pass tcp $SMTP_SERVERS 25 -> any any;


	pass tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Passing SMTP
	rcpt to sed command attempt"; flow:to_server,established; content:"rcpt
	to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0;
	classtype:attempted-admin; sid:1000663; rev:6;)

(cloned from SID 663)

You incur extra overhead with the flow, content distance, etc...

I guess a good rule of thumb would be 'keep it short and simple'.  The
simpler your rules are, the less of a strain on Snort they will be.  Now,
I'm taking a guess, but if you're running the default ruleset, you're
going to have a pain in a production environment.  If not, ignore the
rest.  ;-)  The default rules are just 'examples' of what/how you can do
things.  They are not necessarily tuned well for your nets.  If you
haven't tuned them down, I'd suggest doing that.  You might want to
consider adding a set of 'anomaly' rules as well.  IOW, your webservers
should never make an outbound connection to anything but your DNS server
on port 53 right?  You should only have SSH allowed from your management
net, and not the outside world.  If you break it down and think about the
function of each box you can start to draw a picture of what would be 'odd
or wierd' for each.  Write rules that fire off for that, and you can cut
down a lot on your rules, but still have a heads up that something is

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-devel mailing list