[Snort-users] Subnet list in HOME_NET affects performance?

Lai Zit Seng laizs at ...2240...
Tue Jun 12 11:01:13 EDT 2001

I have a network with multiple subnets that are not completely adjacent,
so I am forced to specify a list of CIDR subnets in my HOME_NET variable.
I observed that snort seems to be missing quite a lot of attacks, so I
started to do some testing.

I configured an alert rule to catch an ICMP probe from a specific external
host into my internal network. Then I go to that external host and start
pinging back into my HOME_NET. I check my alert log and my ping activity
and observe that the "majority" of the ping probes are not reported (eg,
80% loss).

Then I changed my HOME_NET to a single subnet with a netmask big enough to
somewhat cover all my actual subnets. In this configuration, snort logs
correctly ALL my ping probes.

So my question... does spcifying a subnet list in HOME_NET severely affect
snort's performance?

Some background:

I did the above test using the current CVS daily snapshot, using the 1.8
rules largely unmodified except for HOME_NET. Snort is running on a dual
processor Pentium III 450MHz with 512MB RAM and using a 3Com 3c905 for the
sniffing interface.



More information about the Snort-users mailing list