[Snort-users] Suppress versus #Rule for performance.

Jason Wallace jason.r.wallace at ...11827...
Thu May 20 21:40:54 EDT 2010


Start by turning off categories you do not need. if you are not
running imap, pop2, pop3, etc, comment out the category in snort.conf
or skip them in OM/PP.

After that I do the following...
1. turn everything else on *gasp*

2. then start using "grep -i" on the files for things I know I do not
need (MS99, MS00, solaris, novel, mozilla, itunes, etc) and start
sending their SID's to my disablesid.conf in PP. Over the years I've
kept a running tab on stuff in the rules that I'll probably not have
to deal with. This has made tuning new sensors easier.

3. Then I look for any -> any rules and turn any off I do not need

4. review big pcre rules and disable as needed

5. after that I just start working the alerts, reading the references,
and disabling as needed.

I do it this way because I would much rather have a little bloat in my
rules then mistakenly turn something off I need. Not everyone agrees
with this approach, but it works for me.

Someday I hope the metadata tag moves to a point where specific
applications are noted. That would make things much easier.

Wally


On Thu, May 20, 2010 at 5:33 PM, Ray Caparros <arcy24 at ...11827...> wrote:
> We used IDS Policy Manager in past from Activeworx seems pretty decent.
>
> http://www.activeworx.org/Downloads/tabid/54/Default.aspx
>
> -Ray
>
>
> On Thu, May 20, 2010 at 5:23 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>> Another approach might be to enable only what you need.  Using pulledpork
>> you can enable everything for MSXX-XXXX as an example.  So compile a list of
>> all of the MSXX-XXXXs from the year's that you want and put those in
>> enablesid for PP.. .just as a thought....
>> JJC
>>
>> On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn
>> <Shawn.Jefferson at ...14448...> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> There are lots of rules for systems that we don’t run, and I’ve thought
>>> about disabling them to improve performance, however this is a daunting job
>>> as it seems I have to go into every rules file (actually oinkmaster or
>>> pulled pork conf) and disable them.  How are other people doing this, or are
>>> you just not doing it at all?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Shawn
>>>
>>>
>>>
>>> ________________________________
>>>
>>> From: Joel Esler [mailto:jesler at ...1935...]
>>> Sent: Thursday, May 20, 2010 2:04 PM
>>> To: Bill Pickens
>>> Cc: Snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Suppress versus #Rule for performance.
>>>
>>>
>>>
>>> On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
>>>
>>> Hello Everyone,
>>>
>>> After Snort has loaded....
>>>
>>>
>>>
>>> Is there a difference in Snort performance between suppressing a rule or
>>> "#" commenting the rule out?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Commenting out a rule turns the rule off, which means that content does
>>> not need to be memorized, therefore -- faster.
>>>
>>>
>>>
>>> Suppressing a rule just turns off the alert, the rule is still being ran.
>>>
>>>
>>>
>>> --
>>>
>>> Joel Esler
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list