[Snort-users] Rules vs performance

Robinson, Ken ken.robinson at ...1563...
Thu May 10 15:41:30 EDT 2001


Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?   

In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks.     CPU usage was high, but not
peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.  

I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging? 

We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS),  or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules).    We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.  

So, any advise for us?   Should we use Activate rules as much as possible?
Should we generalize rules?   Or is all of this not going to make much of a


Ken Robinson

More information about the Snort-users mailing list