[Snort-devel] Optimized?

Daniel J. Roelker droelker at ...402...
Wed Jan 14 08:30:06 EST 2004

The "Snort 2.0: Rule Optimizer" whitepaper explains our method for
optimizing rule sets.  It answers your questions, so it should help you.

If you read the rule optimizer whitepaper and you're still not
enlightened, then I suggest you supplement your reading of the
whitepaper with source code review with the following files:


In short, we have a dual-layer approach to inspecting rules.  We group
rules into optimized rulesets, and based on initial tests in these
optimized rulesets, we go into the more CPU intensive testing of the
rules that passed the initial tests.

So a quick answer to your question is that "snort [is] smart and builds
a matching policy based on the rule" or rules as it is.


On Wed, 2004-01-14 at 10:26, Martin Olsson wrote:
> On Fri, 19 Dec 2003, Marc Norton wrote:
> > Snort handles this pretty well.  Remember, most traffic is eliminated by
> > the high speed content checking and never makes it to that test.
> I've read the pdf whitepapers but still don't got the answer to my
> question.
> Given this rule:
>   alert tcp any -> any 80 (........)
> ...is snort smart and builds a matching policy based on the rule or is it
> dumb and always match each column?
> Build a dynamic matching policy from the rule (variable nr of tests):
>   {
>     Test that the protocol is tcp
>     Test that the src IP is
>     Test that the dst port is 80
>   }
> Here you see that in the built policy there are no tests for the src port
> or dst IP. Since they will always match, they are removed from the policy.
> Hence no CPU recources will be wasted, matching the src port or dst IP.
> The dumb way, a static list of things to test (always 5 tests):
>   Test that the protocol is tcp
>   Test that the src IP is
>   Test that the src port is anything
>   Test that the src IP is anything
>   Test that the dst port is 80
> ...or does snort do its matching in some other way?
> Why I ask this:
> If I have a rule that matches
>   any any -> any 80
> and I change it to
>   ! any -> any 80
> Will the changed rule use more CPU since snort has to perform a test
> (! for the src IP that was otherwize removed when building the
> matching policy?
> Or is it more recource-friendly to use suppression instead of modifying
> the rule?
> /Martin
> -------------------------------------------------------
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
Daniel Roelker
Software Developer
Sourcefire, Inc.

More information about the Snort-devel mailing list