[Snort-users] Rules vs performance
ken.robinson at ...1563...
Fri May 11 08:18:27 EDT 2001
I want to handle full duplex, 100Mbit. We're using Ether Taps, so each
direction is actually a different NIC.
From: Jean-Francois Zwobada [mailto:zwobada at ...1938...]
Sent: May 11, 2001 2:55 AM
To: Kevin Brown; 'Robinson, Ken'; Snort List (E-mail)
Subject: RE: [Snort-users] Rules vs performance
What's the average and peak bandwidth you're trying to analyse ?
At 12:53 10/05/01 -0700, Kevin Brown wrote:
>I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s
>link the snort was clocking 40% of the cpu with absolutely no rules or
>plugins. I don't remember the specifics, but I was removing rules from
>the list till snort dropped to 80% or less and of the ruleset of 400 rules
>I had to drop all but 50 I believe to get it down. I'm currently using a
>Sparc 500 and it is clocking 50% of the CPU (same link) with the full
>ruleset in place (snort1.8b5 build 20). I downloaded top and compiled it
>and just watch the processes and notice that with just the database and
>spp plugins snort is slowing eating up my 1GB of memory. I don't know if
>that is a memory leak or just a lot of memory caching going on within
>From: Robinson, Ken
>[<mailto:ken.robinson at ...1563...>mailto:ken.robinson at ...1563...]
>Sent: Thursday, May 10, 2001 12:42
>To: Snort List (E-mail)
>Subject: [Snort-users] Rules vs performance
>Are there any rule-of-thumb, or such on how the number of Snort rules
>affects the performance?
>In doing some lab tests, we found that has the amount of traffic went up,
>detected fewer and fewer test attacks. CPU usage was high, but not
>peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit
>NICs and 256Meg RAM.
>I don't know of the misses were due to an issue with the hardware (NIC
>missing packets?), or if there were too many rules to sort through for the
>Snort software, or too much logging?
>We've looked through the snort rules from Whitehats and found many cases
>were we could reduce the rules by either dropping them (i.e. don't care),
>reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
>instead of detecting which OS), or making groups of them as activate rules
>(i.e. the DeepThroat backdoor rules). We could also use the Activate
>rules to log the next 50 packets and then run a full set or rules on those
>So, any advise for us? Should we use Activate rules as much as possible?
>Should we generalize rules? Or is all of this not going to make much of a
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Cellule Securite - Fluxus
Phone : +18.104.22.168.70.00 - Fax : +22.214.171.124.70.14
30, rue du Chateau des Rentiers - 75013 PARIS
More information about the Snort-users