[Snort-users] Certin ET rulesets and 100 percent usage.

Martin Roesch roesch at ...1935...
Thu May 7 18:38:46 EDT 2009


Yeah, you're hitting the rule chains iteratively and that's just not
going to perform.  If you want to filter large sets of IP addresses
that would be more properly implemented as a preprocessor with
dedicated functionality.

Marty

On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman at ...4024...> wrote:
> Straight IP matching is something Snort doesn't do well. Unfortunately.
> So this isn't that unexpected.
>
> I'd only run those rulesets where you can afford the cycles. or run a
> second snort for these alone and turn off everything in it's config to
> streamline some.
>
> Matt
>
> jlay at ...13475... wrote:
>> So here's something interesting.  Enabling ANY of the below rulesets
>> results in snort using 100% CPU:
>>
>> emerging-botcc.rules
>> emerging-compromised.rules
>> emerging-drop.rules
>> emerging-dshield.rules
>> emerging-rbn.rules
>> emerging-tor.rules
>>
>> Without snort uses around 49%.  Using 2.8.4.1 with about 700K average
>> traffic.  Any thoughts?  Thanks.
>>
>> James
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
>> production scanning environment may not be a perfect world - but thanks to
>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
>> Series Scanner you'll get full speed at 300 dpi even with all image
>> processing features enabled. http://p.sf.net/sfu/kodak-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




More information about the Snort-users mailing list