[Snort-users] Performance and rule tuning

Matt Jonkman jonkman at ...4024...
Wed Dec 3 15:30:35 EST 2008

You have to be careful with any ruleset how much of it and which rules
you run, but moreso with the emerging threats rules. It's always a
balance of throughput vs tolerance of risk.

I'd not just kill all the ET rules, but look through and pick whats
important. The policy rules, much of the web client stuff, and the
web_sql_injection sets are going to be very high load. Use them only if
you have the capacity and need.

I'd personally not pass on the virus and malware sets, and the scan
rulesets. Very important sets and much lower load. They're worth
balancing into your sensors if possible.


Jefferson, Shawn wrote:
> I've been running the mmaped pcap module with snort on both my sensors for the last two days, and noticed quite an improvement, however I was still getting dropped packets.  I commented out all the Emerging Threats rules and this eliminated any dropped packets with over 100 MB/s of sustained traffic (at least that is what snort stats is showing me.)  Also, I noticed CPU usage went down considerably as well.  I guess I don't have enough horse power to run these rules.
> Speaking of the stats though... I noticed that with each increase in the performance of my snort sensor, I'm recording more MBit/second.  Now it's up to around 150 Mb/s.  Is this number an accurate measure of what's on the wire, or does it depend somewhat on the performance of your sensor?
> One more question about rule tuning:
> I am getting some false positives from the ftp pre-processor.  How do I suppress these without disabling the pre-processor altogether?
> Thanks!
> Shawn
> -----Original Message-----
> From: Jefferson, Shawn [mailto:Shawn.Jefferson at ...14448...]
> Sent: December 02, 2008 11:40 AM
> To: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Performance and rule tuning
> Thanks for your help everyone, I think I have this working.
> The log was daemon.log not messages, and it wasn't using PCAP_FRAMES.  I did the following:
> Apt-get remove libpcap0.8
> Rebuilt snort
> Used "export PCAP_FRAMES=32768" (I was confused as to use export or not... export seems to be required.)
> Now it says "Using PCAP_FRAMES=32768" in daemon.log.
> Now I'll do this on my main snort sensor and see if there is any performance improvement.
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-users mailing list