[Snort-users] Snort Performance

jsp1999 at ...348... jsp1999 at ...348...
Tue Sep 10 03:50:04 EDT 2002


Hi all! 
 
Snort is a great tool that offers convenient ways to customize the network 
traffic that should be monitored. 
 
Unfortunately we found out that there is a big problem if nearly all the 
available rules are used during operation. 
 
Snort does not look at all the packets, it often simply skips packets. On 
a highly loaded network this gets worse - more and more packets are simply 
not analyzed. 
 
Isn't this very dangerous, because many exploits require only a few 
packets to perform an exploit and to compromise machines? 
 
When we had an in depth look at the source code of snort, we saw that 
there are the RTN and OTN structures for storing the individual rules 
which have to be iterated through every time a new packet is matched. 
 
We consider this not to be optimal, because of the many ANY parts in the 
source and destination IPs. Has anybody thought about optimizing this 
basic data structure? Will this be improved in Snort 2.0 (we found some 
PPT presentations on the web)? Are there any chances for improving the 
ratio of investigated packets / actual packets on the network? 
 
J. 
 
 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list