[Snort-users] Snort Performance
mkettler at ...4108...
Tue Sep 10 10:52:03 EDT 2002
At 09:40 AM 9/10/2002 -0700, Erek Adams wrote:
> > We consider this not to be optimal, because of the many ANY parts in the
> > source and destination IPs. Has anybody thought about optimizing this
> > basic data structure? Will this be improved in Snort 2.0 (we found some
> > PPT presentations on the web)? Are there any chances for improving the
> > ratio of investigated packets / actual packets on the network?
>Why is it not optimal? Care to elaborate?
I'd agree.. I'd like to see someone suggest a structure which handles the
"lots of any's" case in a noticeably better manner than the existing system
without completely ruining performance for well specified systems. Your
existing statement strikes me as a bit like calling a compression algorithm
"not optimal" because it fails in the worst-case input (ie: true random
data, which ALL compression algorithms must fail on).
As for the "lots of any's".. I don't seem to have very many myself. But
then again, I define EXTERNAL_NET as !HOME_NET instead of ''any" and I've
also tweaked a few rules to use specific IP's or subnets instead of any.
But these tweaks need to be done in light of my particular network. Hence
this is really a "optimize your ruleset for your network" problem rather
than a "optimize snort to handle all cases, including the one which cannot
I would agree however that perhaps "some of the rules need to be better
thought out and use HOME_NET and EXTERNAL_NET where appropriate" is a fair
statement. ie: virus rules might consider having "LOCAL_POP_CLIENTS"
instead of 'any' in them.
any 110 -> any any
any 110 -> $LOCAL_POP_CLIENTS any
and default LOCAL_POP_CLIENTS to any, and suggest $HOME_NET as a good
But that's not really a whole lot of an optimization, since you're not
likely to see port 110 in any kind of traffic other than that specific
case. This weeds out very few packets in most real networks.
More information about the Snort-users