[Snort-users] Snort 2.8.6 performance

Matt Olney molney at ...1935...
Fri Oct 8 18:50:21 EDT 2010


>From a performance perspective, there are three rules we need to address:

4677, 4676 and 17468.  Those three rules address significantly older bugs,
and I'd recommend you disable them unless you need them for known
vulnerabilities.  A fix to those three bugs will be in the next rule
release.

I know you have 10 rules on your list, but a majority of them have a very
low check number.  These three have a high microsecond evaluation time and a
large number of checks.

Matt

On Fri, Oct 8, 2010 at 5:58 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

> Hi,
>
> My suspicion is that this is rule related somehow... I turned off the
> so_rules and that didn't make any difference, and I also turned off the
> attribute table just for fun, since the one I load is pretty big.
>
> Nothing... so I reconfigured/recompiled to allow rule performance checks.
>
> timestamp: 1286574608
> Rule Profile Statistics (worst 10 rules)
> ==========================================================
>   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
>  Avg/Check  Avg/Match Avg/Nonmatch
>   ===      === === ===     ======   =======    ======           =========
>  =========  ========= ============
>     1     4677   1   3     100664         0         0           615540707
>   6114.8        0.0       6114.8
>     2    13272   1   3          6         0         0               17891
>   2981.9        0.0       2981.9
>     3    11324   1   4         21         0         0               39429
>   1877.6        0.0       1877.6
>     4    17468   1   1      33163         0         0            44821199
>   1351.5        0.0       1351.5
>     5    10504   1   2         68         0         0                8006
>    117.7        0.0        117.7
>     6    10505   1   2         68         0         0                8002
>    117.7        0.0        117.7
>     7     4676   1   3      33076         0         0             1931555
>     58.4        0.0         58.4
>     8    17666   1   1        594         0         0               13802
>     23.2        0.0         23.2
>     9    17495   1   1          2         0         0                  42
>     21.2        0.0         21.2
>    10    15910   1   5        232         0         0                3869
>     16.7        0.0         16.7
>
> I commented out rule 4677 and am running snort on my sensor again to see if
> that will help.
>
> Anybody know anything about this rule and if it may have recently changed?
> There's a very non-unique content match: "GET" and then a PCRE...
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Friday, October 08, 2010 12:36 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort 2.8.6 performance
>
> On 10/8/2010 13:19, Jefferson, Shawn wrote:
> > Has anyone else noticed performance (dropped packets), really take a dive
> today?
> >   I'm missing about 20-30% of packets now... on a sensor that was running
> great at
> > about 100-200 mb/s until just today/last night. According to my snort
> stats
> > there isn't anything unusual as far as stream or frag events go, but the
> snort
> > process is using 100% CPU today. I'm using the VRT paid subscription
> rules.
>
> please quote back your "snort -V" output... your config may also be
> needed...
> possible you found a bug or some way that someone is trying to evade IDS
> several
> other factors...
>
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101008/04f0588e/attachment.html>


More information about the Snort-users mailing list