[Snort-users] Certin ET rulesets and 100 percent usage.

Matt Jonkman jonkman at ...4024...
Fri May 8 09:19:37 EDT 2009


Religious argument so I won't beat it too much. But many places haven't
the easy ability to add massive numbers of rules to firewalls. Can you
imagine sticking all of the RBN and compromised hosts into a checkpoint
firewall via the gui every 24 hours? Or a sonicwall? There's a nice
little hell. And then reconciling the ones that have dropped out of
being labeled hostile and removing those.... etc

And then you have the folks that just have a router on the perimeter,
and depending on the model you may not have the ram to have a shun route
for every IP, you have to go with just those that you've seen and remove
them after the timeout (snortsam functionality)

So ya, in an ideal world firewalls are best for blocking and massive IP
matching. But in reality it's difficult to use this threat data in that way.

Matt


Randal T. Rioux wrote:
> Forgive me if I'm wrong, but isn't using Snort to implement an IP
> blocklist sub-optimal? Isn't this a better task for your firewall?
> 
> I just think an IDS should stick to what it does best.
> 
> Randy
> 
> 
> On Thu, May 7, 2009 6:38 pm, Martin Roesch wrote:
>> Yeah, you're hitting the rule chains iteratively and that's just not
>> going to perform.  If you want to filter large sets of IP addresses that
>> would be more properly implemented as a preprocessor with dedicated
>> functionality.
>>
>> Marty
>>
>> On Thu, May 7, 2009 at 12:15 PM, Matt Jonkman <jonkman at ...4024...>
>> wrote:
>>> Straight IP matching is something Snort doesn't do well. Unfortunately.
>>>  So this isn't that unexpected.
>>>
>>> I'd only run those rulesets where you can afford the cycles. or run a
>>> second snort for these alone and turn off everything in it's config to
>>> streamline some.
>>>
>>> Matt
>>>
>>> jlay at ...13475... wrote:
>>>> So here's something interesting.  Enabling ANY of the below rulesets
>>>> results in snort using 100% CPU:
>>>>
>>>> emerging-botcc.rules emerging-compromised.rules emerging-drop.rules
>>>> emerging-dshield.rules emerging-rbn.rules emerging-tor.rules
>>>>
>>>> Without snort uses around 49%.  Using 2.8.4.1 with about 700K average
>>>>  traffic.  Any thoughts?  Thanks.
>>>>
>>>> James
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> --------- The NEW KODAK i700 Series Scanners deliver under ANY
>>>> circumstances! Your production scanning environment may not be a
>>>> perfect world - but thanks to Kodak, there's a perfect scanner to get
>>>> the job done! With the NEW KODAK i700 Series Scanner you'll get full
>>>> speed at 300 dpi even with all image processing features enabled.
>>>> http://p.sf.net/sfu/kodak-com
>>>> _______________________________________________ Snort-users mailing
>>>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>>>> options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>>> list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> -- -------------------------------------------- Matthew Jonkman
>>> Emerging Threats Phone 765-429-0398 Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>> -----------------------------------------------------------------------
>>> ------- The NEW KODAK i700 Series Scanners deliver under ANY
>>> circumstances! Your production scanning environment may not be a
>>> perfect world - but thanks to Kodak, there's a perfect scanner to get
>>> the job done! With the NEW KODAK i700 Series Scanner you'll get full
>>> speed at 300 dpi even with all image processing features enabled.
>>> http://p.sf.net/sfu/kodak-com
>>> _______________________________________________ Snort-users mailing
>>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>>> options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>> -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>> Sourcefire - Security for the Real World - http://www.sourcefire.com
>> Snort: Open Source IDP - http://www.snort.org
>>
>> -------------------------------------------------------------------------
>> ----- The NEW KODAK i700 Series Scanners deliver under ANY circumstances!
>> Your production scanning environment may not be a perfect world - but
>> thanks to Kodak, there's a perfect scanner to get the job done! With the
>> NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with
>> all image processing features enabled. http://p.sf.net/sfu/kodak-com
>> _______________________________________________ Snort-users mailing list
>> Snort-users at lists.sourceforge.net Go to this URL to change user options
>> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image 
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list