[Snort-users] Rule Selection

Matt Kettler mkettler at ...4108...
Thu Feb 10 09:03:12 EST 2005


At 02:15 AM 2/11/2005, Rudi Starcevic wrote:
>Let say only port 80 is open.
>Which of the two would run faster
>
>a) Smort with all rules loaded
>b) Smort with only port 80 rules loaded.
>
>I tend to think it makes no difference.

Snort will run slightly faster if there are fewer nodes in the first linked 
list of the around.

  Admittedly snort uses a double-list system to optimize this, so this is 
very fast, but it does still add some tiny bits of overhead.

At a casual view, snort makes a linked list of port/ip specifiers, and 
attached to each is a list of content rules. So snort won't execute any of 
the port 25 content checks, but it still has to check the port number 
before skipping on to the next and eventually finding the list of port 80 
rules.

Really, the only reason I see to turn off other ports is to quiet obvious 
noise you don't care about.. On the other hand, sometimes it's nice to have 
the safety net of the extra rules in case something does get turned on later...

When it comes to turning off whole ports, balance it on a basis of extra 
noise vs extra info. Yes, it does impact performance, but that's too 
trivial to care about.

(Now, turning off un-needed content rules within port 80 WILL make a big 
impact, but that's another matter)







More information about the Snort-users mailing list