[Snort-users] Rule Selection
mkettler at ...4108...
Thu Feb 10 09:03:12 EST 2005
At 02:15 AM 2/11/2005, Rudi Starcevic wrote:
>Let say only port 80 is open.
>Which of the two would run faster
>a) Smort with all rules loaded
>b) Smort with only port 80 rules loaded.
>I tend to think it makes no difference.
Snort will run slightly faster if there are fewer nodes in the first linked
list of the around.
Admittedly snort uses a double-list system to optimize this, so this is
very fast, but it does still add some tiny bits of overhead.
At a casual view, snort makes a linked list of port/ip specifiers, and
attached to each is a list of content rules. So snort won't execute any of
the port 25 content checks, but it still has to check the port number
before skipping on to the next and eventually finding the list of port 80
Really, the only reason I see to turn off other ports is to quiet obvious
noise you don't care about.. On the other hand, sometimes it's nice to have
the safety net of the extra rules in case something does get turned on later...
When it comes to turning off whole ports, balance it on a basis of extra
noise vs extra info. Yes, it does impact performance, but that's too
trivial to care about.
(Now, turning off un-needed content rules within port 80 WILL make a big
impact, but that's another matter)
More information about the Snort-users