[Snort-users] lots or rules loaded and snort performance

Pedro Marinho pppmarinho at ...11827...
Fri Nov 5 17:24:09 EDT 2010


Hello Gentlemen,

Some months ago i was having a problem with high drop packet rates at my
sensors.

I am trying to consolidate all the rules i need in one file to solve this
problem.

first i issue this command to create a file with the rules msg

egrep -i
'(MALWARE|WORM|Cisco|BrightStor|Shockwave|Microsoft|Adobe|MS-SQL|IBM|IIS|Symantec|Oracle|TROJAN|USER_AGENTS)'
ETregras2.8.4/rules/*.rules | grep -i -G msg:"\w*" | cut -d\" -f2| cut -d";"
-f1 > free2.txt

then i did a tiny perl script to read from that file and throw the rules at
one file.. grabing the exit with '>' operator at shell like perl
myscript.pl> somefile.rules

open(XYZ,"free2.txt");
               while(<XYZ>){

               $rule_msg = $_;
              chomp($rule_msg);
               $regra = `grep -i '$rule_msg' ETregras2.8.4/rules/*.rules`;

               if($regra ne 'EOF'){
               if($regra =~
s/(^ETregras2\.8\.4\/rules\/emerging-.+\.rules\:)(.+)/$2/)
                {
                   print("$regra\n");

                }#fim do if
               }#fim if $regra nao e fim de arquivo
                }#fim enquanto nao eof
           close(XYZ);

the odd is that during the script execution i am getting some warnings.. i
am not a perl monk btw

sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
sh: -c: line 0: syntax error near unexpected token `('


my question is.. how do you people remove rules that you don´t need ? you
all do like Jason had suggested ? he did say "just get the sid and then I
add them to my oinkmaster file to be disabled".

I am asking because seems like if you have a large number of rules loaded at
the detection engine is not good to performance. Specially rules that match
for IP values. Bad performance leads to increase the risk of false
negatives..

any suggestions ?

2009/6/17 Jason Wallace <jason.r.wallace at ...11827...>

> from my past experience i would say 6700 rules is kind of a lot.
>
> Take a look at page 84 "2.4.1 Rule Profiling"...
>
> http://www.snort.org/assets/82/snort_manual.pdf
>
> Set that up to determine what rules are the most intensive and
> determine if you really need those enabled.
>
> Also...
>
> I usually also 'grep -i' through the rule files I use looking for
> things in the messages that I know I do have in my environment...
>
> Novell
> WhatsUpGold
> ClamAV
> sendmail
> Solaris
> McAfee
> Symantec
> BrightStor
>
> example...
>
> grep -i brightstor /etc/snort/vrt/*.rules
>
> make sure these rules are really related to brightstor then...
>
> grep -i brightstor /etc/snort/vrt/*.rules | grep -Po sid\:[0-9]*\; |
> cut -d: -f2| cut -d";" -f1
>
> to just get the sid and then I add them to my oinkmaster file to be
> disabled.
>
> Hope this helps.
>
>
>
> On Wed, Jun 17, 2009 at 10:23 AM, Pedro Marinho<pppmarinho at ...11827...>
> wrote:
> > Jason,
> >
> > i did with the -T switch.. i did forgot that you ccan up snort in test
> mode
> > with the -T option
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 6713 Snort rules read
> >     6713 detection rules
> >     0 decoder rules
> >     0 preprocessor rules
> > 6713 Option Chains linked into 315 Chain Headers
> > 0 Dynamic rules
> >
> > so this is too much rules?
> >
>


2010/5/28 Joel Esler <jesler at ...1935...>

> Pedro,
>
> You should be aiming for 0% packet loss. You should disable any rules that
> do not apply to your environment.
>
> --
> Sent from my iPad
> Joel Esler
> 302-223-5974
> Jabber:jesler at ...1935... <Jabber%3Ajesler at ...1935...>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101105/1b939cfe/attachment.html>


More information about the Snort-users mailing list