[Snort-sigs] SO rules vs regular rules

Brian Caswell bmc at ...95...
Mon Feb 1 13:57:31 EST 2010


On Thu, Jan 14, 2010 at 3:10 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
> Lately I have considered taking some of the poorer performing snort
> rules and making them shared object rules.  The purpose of this would
> be to improve performance but my question is, will it?  Are there any
> performance metrics associated with SO rules vs regular rules?

It depends.

More often than not, poor performing rules will perform poorly in
textual and in shared object form.  Changing how the rule gets loaded
into Snort will not correct most flaws in the implementation of rules.

If you are planning on using the converter published at
labs.snort.org, you will not see any performance gain for straight
translation of rules to shared objects.  In all practical terms, the
detection from the shared object rules using the output the converter
are exactly the same as textual rules.  Prior to 2.8.5, the straight
translation of text rules to SO rules was a performance loss.  In
prior releases, using SO rules was a large performance loss.  Since
2.8.5, rules converted to SO rules using the translator should be
roughly equivalent in performance.

Using the current version of snort, rewriting some rules using
hand-tuned C can show an increase in performance.

However, due to the rule tree optimizations done in recent versions of
Snort, hand-tuned C rules could be worse performing than the original
text rules.

Again, it depends.  If you want to squeeze every bit of performance
out of your rules, you need to know your environment, the rules you
are writing and how they are optimized together within Snort, your
network traffic profile, etc.

Or... you could just let Snort's internal optimizations work for your
benefit, of which it does a decent job in most situations.

Brian




More information about the Snort-sigs mailing list