[Snort-devel] Order of stream_size and dsize checks?

Steven Sturges steve.sturges at ...402...
Fri Mar 21 14:58:31 EDT 2014


For rules that match, all of the options will be evaluated, so no 
savings there, but avoiding complex checks such as PCRE is always
good for performance.

I'd recommend placing the options that are less likely to match on
all packets except the real thing, towards the front of the rule --
taking into account any relative dependencies, of course.

That is why most of the Sourcefire authored rules has flow (eg, 
to_server,established) as the first option.

Cheers
-steve

On 3/21/14, 2:22 PM, snort user wrote:
> Joel -
>
> Could you please explain how the placing of stream_size or dsize will
> speed up evaluation of the rule? I can see that placing it upfront will
> eliminate evaluation of the more expensive options such as content or
> pcre, but is there some other aspect that will make the rule evaluation
> more faster with these rule options placed upfront?
>
> Thanks
>
>
>
> On Fri, Mar 21, 2014 at 2:11 PM, Joel Esler (jesler) <jesler at ...3461...
> <mailto:jesler at ...3461...>> wrote:
>
>     You bring up a good point though, Harley, which is basically, if you
>     put those checks first in the rule (before the content match) it can
>     speed up the evaluation of the traffic by that rule.
>
>     --
>     *Joel Esler*
>     Open Source Manager
>     Threat Intelligence Team Lead
>     Vulnerability Research Team
>
>     On Mar 21, 2014, at 12:06 PM, Steven Sturges
>     <steve.sturges at ...402... <mailto:steve.sturges at ...402...>>
>     wrote:
>
>>     Rule options are evaluated in the order specified in the rule.
>>
>>     On 3/21/14, 11:56 AM, Harley H wrote:
>>>     Hello,
>>>       Are stream_size and dsize checked following any or all content
>>>     matches or are they performed first?
>>>
>>>     -Harley
>>>
>>>
>>>     ------------------------------------------------------------------------------
>>>     Learn Graph Databases - Download FREE O'Reilly Book
>>>     "Graph Databases" is the definitive new guide to graph databases
>>>     and their
>>>     applications. Written by three acclaimed leaders in the field,
>>>     this first edition is now available. Download your free book today!
>>>     http://p.sf.net/sfu/13534_NeoTech
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Snort-devel mailing list
>>>     Snort-devel at lists.sourceforge.net
>>>     <mailto:Snort-devel at lists.sourceforge.net>
>>>     https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>     Archive:
>>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>>     Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>     ------------------------------------------------------------------------------
>>     Learn Graph Databases - Download FREE O'Reilly Book
>>     "Graph Databases" is the definitive new guide to graph databases
>>     and their
>>     applications. Written by three acclaimed leaders in the field,
>>     this first edition is now available. Download your free book today!
>>     http://p.sf.net/sfu/13534_NeoTech
>>     _______________________________________________
>>     Snort-devel mailing list
>>     Snort-devel at lists.sourceforge.net
>>     <mailto:Snort-devel at lists.sourceforge.net>
>>     https://lists.sourceforge.net/lists/listinfo/snort-devel
>>     Archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>>     Please visit http://blog.snort.org for the latest news about Snort!
>
>
>     ------------------------------------------------------------------------------
>     Learn Graph Databases - Download FREE O'Reilly Book
>     "Graph Databases" is the definitive new guide to graph databases and
>     their
>     applications. Written by three acclaimed leaders in the field,
>     this first edition is now available. Download your free book today!
>     http://p.sf.net/sfu/13534_NeoTech
>     _______________________________________________
>     Snort-devel mailing list
>     Snort-devel at lists.sourceforge.net
>     <mailto:Snort-devel at lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/snort-devel
>     Archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>     Please visit http://blog.snort.org for the latest news about Snort!
>
>




More information about the Snort-devel mailing list