[Snort-users] Snort 2.8.6 performance
Matt Olney
molney at ...1935...
Fri Oct 8 18:50:21 EDT 2010
>From a performance perspective, there are three rules we need to address:
4677, 4676 and 17468. Those three rules address significantly older bugs,
and I'd recommend you disable them unless you need them for known
vulnerabilities. A fix to those three bugs will be in the next rule
release.
I know you have 10 rules on your list, but a majority of them have a very
low check number. These three have a high microsecond evaluation time and a
large number of checks.
Matt
On Fri, Oct 8, 2010 at 5:58 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:
> Hi,
>
> My suspicion is that this is rule related somehow... I turned off the
> so_rules and that didn't make any difference, and I also turned off the
> attribute table just for fun, since the one I load is pretty big.
>
> Nothing... so I reconfigured/recompiled to allow rule performance checks.
>
> timestamp: 1286574608
> Rule Profile Statistics (worst 10 rules)
> ==========================================================
> Num SID GID Rev Checks Matches Alerts Microsecs
> Avg/Check Avg/Match Avg/Nonmatch
> === === === === ====== ======= ====== =========
> ========= ========= ============
> 1 4677 1 3 100664 0 0 615540707
> 6114.8 0.0 6114.8
> 2 13272 1 3 6 0 0 17891
> 2981.9 0.0 2981.9
> 3 11324 1 4 21 0 0 39429
> 1877.6 0.0 1877.6
> 4 17468 1 1 33163 0 0 44821199
> 1351.5 0.0 1351.5
> 5 10504 1 2 68 0 0 8006
> 117.7 0.0 117.7
> 6 10505 1 2 68 0 0 8002
> 117.7 0.0 117.7
> 7 4676 1 3 33076 0 0 1931555
> 58.4 0.0 58.4
> 8 17666 1 1 594 0 0 13802
> 23.2 0.0 23.2
> 9 17495 1 1 2 0 0 42
> 21.2 0.0 21.2
> 10 15910 1 5 232 0 0 3869
> 16.7 0.0 16.7
>
> I commented out rule 4677 and am running snort on my sensor again to see if
> that will help.
>
> Anybody know anything about this rule and if it may have recently changed?
> There's a very non-unique content match: "GET" and then a PCRE...
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Friday, October 08, 2010 12:36 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort 2.8.6 performance
>
> On 10/8/2010 13:19, Jefferson, Shawn wrote:
> > Has anyone else noticed performance (dropped packets), really take a dive
> today?
> > I'm missing about 20-30% of packets now... on a sensor that was running
> great at
> > about 100-200 mb/s until just today/last night. According to my snort
> stats
> > there isn't anything unusual as far as stream or frag events go, but the
> snort
> > process is using 100% CPU today. I'm using the VRT paid subscription
> rules.
>
> please quote back your "snort -V" output... your config may also be
> needed...
> possible you found a bug or some way that someone is trying to evade IDS
> several
> other factors...
>
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101008/04f0588e/attachment.html>
More information about the Snort-users
mailing list