[Snort-devel] Optimized?

Martin Olsson elof at ...969...
Wed Jan 14 07:27:12 EST 2004


On Fri, 19 Dec 2003, Marc Norton wrote:
> Snort handles this pretty well.  Remember, most traffic is eliminated by
> the high speed content checking and never makes it to that test.

I've read the pdf whitepapers but still don't got the answer to my
question.


Given this rule:

  alert tcp 1.1.1.1 any -> any 80 (........)

...is snort smart and builds a matching policy based on the rule or is it
dumb and always match each column?

Build a dynamic matching policy from the rule (variable nr of tests):
  {
    Test that the protocol is tcp
    Test that the src IP is 1.1.1.1
    Test that the dst port is 80
  }

Here you see that in the built policy there are no tests for the src port
or dst IP. Since they will always match, they are removed from the policy.
Hence no CPU recources will be wasted, matching the src port or dst IP.

The dumb way, a static list of things to test (always 5 tests):
  Test that the protocol is tcp
  Test that the src IP is 1.1.1.1
  Test that the src port is anything
  Test that the src IP is anything
  Test that the dst port is 80

...or does snort do its matching in some other way?


Why I ask this:
If I have a rule that matches
  any any -> any 80
and I change it to
  !1.1.1.1 any -> any 80

Will the changed rule use more CPU since snort has to perform a test
(!1.1.1.1) for the src IP that was otherwize removed when building the
matching policy?
Or is it more recource-friendly to use suppression instead of modifying
the rule?

/Martin





More information about the Snort-devel mailing list