[Snort-users] Snort Performance

Matt Kettler mkettler at ...4108...
Tue Sep 10 10:52:03 EDT 2002

At 09:40 AM 9/10/2002 -0700, Erek Adams wrote:
> > We consider this not to be optimal, because of the many ANY parts in the
> > source and destination IPs. Has anybody thought about optimizing this
> > basic data structure? Will this be improved in Snort 2.0 (we found some
> > PPT presentations on the web)? Are there any chances for improving the
> > ratio of investigated packets / actual packets on the network?
>Why is it not optimal?  Care to elaborate?

I'd agree.. I'd like to see someone suggest a structure which handles the 
"lots of any's" case in a noticeably better manner than the existing system 
without completely ruining performance for well specified systems. Your 
existing statement strikes me as a bit like calling a compression algorithm 
"not optimal" because it fails in the worst-case input (ie: true random 
data, which ALL compression algorithms must fail on).

As for the "lots of any's".. I don't seem to have very many myself. But 
then again, I define EXTERNAL_NET as !HOME_NET instead of ''any" and I've 
also tweaked a few rules to use specific IP's or subnets instead of any. 
But these tweaks need to be done in light of my particular network. Hence 
this is really a "optimize your ruleset for your network" problem rather 
than a "optimize snort to handle all cases, including the one which cannot 
be optimized".

I would agree however that perhaps "some of the rules need to be better 
thought out and use HOME_NET and EXTERNAL_NET where appropriate" is a fair 
statement. ie: virus rules might consider having "LOCAL_POP_CLIENTS" 
instead of 'any' in them.

any 110 -> any any
any 110 -> $LOCAL_POP_CLIENTS any

and default LOCAL_POP_CLIENTS to any, and suggest $HOME_NET as a good 

But that's not really a whole lot of an optimization, since you're not 
likely to see port 110 in any kind of traffic other than that specific 
case. This weeds out very few packets in most real networks.

More information about the Snort-users mailing list