[Snort-users] 2.8.4 performance improvements

Jefferson, Shawn Shawn.Jefferson at ...14448...
Mon Apr 27 13:32:45 EDT 2009


Good to know.  Has anyone done this?  Did you notice any appreciable performance improvement?  What about the rules that I listed below?  What will happen to those rules, do they just not get processed, or do they only get processed for sessions that don't need to be reassembled, or require the entire stream?

--
Shawn

________________________________
From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf Of JJ Cummings
Sent: April 27, 2009 10:29 AM
To: keith at ...1935...
Cc: Jefferson, Shawn; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 2.8.4 performance improvements

Correct, you can do this by protocol also....
On Mon, Apr 27, 2009 at 11:17 AM, Keith Konecnik <kkonecnik at ...1935...<mailto:kkonecnik at ...1935...>> wrote:
In stream5 you have the ability to turn on and off the ignore any any rules option.

-k

On Mon, Apr 27, 2009 at 12:53 PM, Jefferson, Shawn <Shawn.Jefferson at ...14575...8...<mailto:Shawn.Jefferson at ...14448...>> wrote:
Hi,

One of things that was talked about in the webcast on 2.8.4 was a performance improvement, but the trade-off is that rules with Any -> Any won't be processed by some of the pre-processor's (like Stream5).  I was curious about how many rules are Any -> Any, and in my configuration (files with none are removed):

attack-responses.rules:1
bad-traffic.rules:4
deleted.rules:5
dns.rules:2
emerging-attack_response.rules:2
emerging-malware.rules:1
emerging-p2p.rules:6
emerging-policy.rules:31
emerging-scan.rules:7
emerging-virus.rules:34
exploit.rules:4
icmp.rules:3
policy.rules:2
tftp.rules:8

So, my question is, is it worth turning this new feature on?  Is anyone else using it yet?  Better performance sounds good...

Thanks,
Shawn





------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090427/cad4b020/attachment.html>


More information about the Snort-users mailing list