[Snort-users] Rules vs performance

Jean-Francois Zwobada zwobada at ...1938...
Fri May 11 02:54:39 EDT 2001

Hi guys

What's the average and peak bandwidth you're trying to analyse ?



At 12:53 10/05/01 -0700, Kevin Brown wrote:

>I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s 
>link the snort was clocking 40% of the cpu with absolutely no rules or 
>plugins.  I don't remember the specifics, but I was removing rules from 
>the list till snort dropped to 80% or less and of the ruleset of 400 rules 
>I had to drop all but 50 I believe to get it down.  I'm currently using a 
>Sparc 500 and it is clocking 50% of the CPU (same link) with the full 
>ruleset in place (snort1.8b5 build 20).  I downloaded top and compiled it 
>and just watch the processes and notice that with just the database and 
>spp plugins snort is slowing eating up my 1GB of memory.  I don't know if 
>that is a memory leak or just a lot of memory caching going on within snort.
>-----Original Message-----
>From: Robinson, Ken 
>[<mailto:ken.robinson at ...1563...>mailto:ken.robinson at ...1563...]
>Sent: Thursday, May 10, 2001 12:42
>To: Snort List (E-mail)
>Subject: [Snort-users] Rules vs performance
>Are there any rule-of-thumb, or such on how the number of Snort rules
>affects the performance?
>In doing some lab tests, we found that has the amount of traffic went up, we
>detected fewer and fewer test attacks.     CPU usage was high, but not
>peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
>NICs and 256Meg RAM.
>I don't know of the misses were due to an issue with the hardware (NIC
>missing packets?), or if there were too many rules to sort through for the
>Snort software, or too much logging?
>We've looked through the snort rules from Whitehats and found many cases
>were we could reduce the rules by either dropping them (i.e. don't care),
>reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
>instead of detecting which OS),  or making groups of them as activate rules
>(i.e. the DeepThroat backdoor rules).    We could also use the Activate
>rules to log the next 50 packets and then run a full set or rules on those
>logged packets.
>So, any advise for us?   Should we use Activate rules as much as possible?
>Should we generalize rules?   Or is all of this not going to make much of a
>Ken Robinson
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : + - Fax : +
30, rue du Chateau des Rentiers - 75013 PARIS

More information about the Snort-users mailing list