[Snort-users] Suppress versus #Rule for performance.

Joel Esler jesler at ...1935...
Fri May 28 10:46:11 EDT 2010


That's a great feature JJ. 

--
Sent from my iPad
Joel Esler
302-223-5974
Jabber:jesler at ...1935...

On May 28, 2010, at 10:06 AM, JJC <cummingsj at ...11827...> wrote:

> Just as a quick addendum and an "undocumented" feature of pulledpork... the functions that enable/disable/drop sids do support basic regular expressions... so if I want all of the MS00 or MS99 stuff modified... I could do the following (basic example, mileage may vary)
> 
> MS00-.+,MS99-.+ etc....
> 
> hth,
> JJC
> 
> On Thu, May 20, 2010 at 7:40 PM, Jason Wallace <jason.r.wallace at ...14459.....> wrote:
> Start by turning off categories you do not need. if you are not
> running imap, pop2, pop3, etc, comment out the category in snort.conf
> or skip them in OM/PP.
> 
> After that I do the following...
> 1. turn everything else on *gasp*
> 
> 2. then start using "grep -i" on the files for things I know I do not
> need (MS99, MS00, solaris, novel, mozilla, itunes, etc) and start
> sending their SID's to my disablesid.conf in PP. Over the years I've
> kept a running tab on stuff in the rules that I'll probably not have
> to deal with. This has made tuning new sensors easier.
> 
> 3. Then I look for any -> any rules and turn any off I do not need
> 
> 4. review big pcre rules and disable as needed
> 
> 5. after that I just start working the alerts, reading the references,
> and disabling as needed.
> 
> I do it this way because I would much rather have a little bloat in my
> rules then mistakenly turn something off I need. Not everyone agrees
> with this approach, but it works for me.
> 
> Someday I hope the metadata tag moves to a point where specific
> applications are noted. That would make things much easier.
> 
> Wally
> 
> 
> On Thu, May 20, 2010 at 5:33 PM, Ray Caparros <arcy24 at ...11827...> wrote:
> > We used IDS Policy Manager in past from Activeworx seems pretty decent.
> >
> > http://www.activeworx.org/Downloads/tabid/54/Default.aspx
> >
> > -Ray
> >
> >
> > On Thu, May 20, 2010 at 5:23 PM, JJ Cummings <cummingsj at ...11827...> wrote:
> >> Another approach might be to enable only what you need.  Using pulledpork
> >> you can enable everything for MSXX-XXXX as an example.  So compile a list of
> >> all of the MSXX-XXXXs from the year's that you want and put those in
> >> enablesid for PP.. .just as a thought....
> >> JJC
> >>
> >> On Thu, May 20, 2010 at 3:15 PM, Jefferson, Shawn
> >> <Shawn.Jefferson at ...14448...> wrote:
> >>>
> >>> Hi,
> >>>
> >>>
> >>>
> >>> There are lots of rules for systems that we don’t run, and I’ve thought
> >>> about disabling them to improve performance, however this is a daunting job
> >>> as it seems I have to go into every rules file (actually oinkmaster or
> >>> pulled pork conf) and disable them.  How are other people doing this, or are
> >>> you just not doing it at all?
> >>>
> >>>
> >>>
> >>> Thanks,
> >>>
> >>> Shawn
> >>>
> >>>
> >>>
> >>> ________________________________
> >>>
> >>> From: Joel Esler [mailto:jesler at ...1935...]
> >>> Sent: Thursday, May 20, 2010 2:04 PM
> >>> To: Bill Pickens
> >>> Cc: Snort-users at lists.sourceforge.net
> >>> Subject: Re: [Snort-users] Suppress versus #Rule for performance.
> >>>
> >>>
> >>>
> >>> On May 20, 2010, at 4:55 PM, Bill Pickens wrote:
> >>>
> >>> Hello Everyone,
> >>>
> >>> After Snort has loaded....
> >>>
> >>>
> >>>
> >>> Is there a difference in Snort performance between suppressing a rule or
> >>> "#" commenting the rule out?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Commenting out a rule turns the rule off, which means that content does
> >>> not need to be memorized, therefore -- faster.
> >>>
> >>>
> >>>
> >>> Suppressing a rule just turns off the alert, the rule is still being ran.
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Joel Esler
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>>
> >>>
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >>
> >>
> >>
> >>
> >> ------------------------------------------------------------------------------
> >>
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> > ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100528/84d0daf4/attachment.html>


More information about the Snort-users mailing list