[Snort-users] Rule performance profiling question

Joel Esler jesler at ...1935...
Thu Sep 16 09:19:50 EDT 2010


No.  My guess was that waldo kitty was not running SO rules, and that's why
they weren't loaded in his config.

Which he agreed with in a different part of the email thread.

J

On Thu, Sep 16, 2010 at 9:07 AM, Andy Berryman <aberryman at ...14758...> wrote:

> Joel wrote that they “both are SO rules.”
>
>
>
> What does that have to do with it? Does it make a difference that they are
> so rules?
>
>
>
> Thanks for the help,
>
> Andy
>
>
>
>
>
>
>
> *From:* Alex Kirk [mailto:akirk at ...1935...]
> *Sent:* Wednesday, September 15, 2010 3:44 PM
> *To:* Andy Berryman
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Rule performance profiling question
>
>
>
> Definitely turn off SID 7019 - that's for a Japanese P2P service that's
> probably not on your network.
>
>
>
> SID 14643 is something you'll want to consider more closely based on the
> likelihood of being patched in your network. That said, your assessment of
> performance there is correct - it's expensive for not a great deal of return
> in your environment.
>
> On Wed, Sep 15, 2010 at 4:37 PM, Andy Berryman <aberryman at ...14758...>
> wrote:
>
> Does this mean I should turn off this rule b/c of the amount of checks and
> zero alerts for it?
>
>
>
> Rule Profile Statistics (worst 100 rules)
>
> ==========================================================
>
>    Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
> Avg/Check  Avg/Match Avg/Nonmatch
>
>    ===      === === ===     ======   =======    ======           =========
> =========  ========= ============
>
>      1     7019   3   5  234171143         0         0
> 80911378        0.3        0.0          0.3
>
>
>
>
>
>
>
> What about this one? Not as many checks, but it takes a while to check it
> each time.
>
>
>
> Rule Profile Statistics (worst 100 rules)
>
> ==========================================================
>
> Num      SID GID Rev     Checks   Matches    Alerts           Microsecs
> Avg/Check  Avg/Match Avg/Nonmatch
>
> ==      === === ===     ======   =======    ======           =========
> =========  ========= ============
>
> 76    14643   3   3      82610         0         0
> 4949758       59.9        0.0         59.9
>
>
>
>
>
>
>
> Thanks,
>
> Andy Berryman
> ------------------------------
>
> This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ------------------------------
>
>
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk at ...1935...
>  ------------------------------
>  This message from Cymtec Systems, Inc. contains confidential information
> and is solely for the use of the recipient(s) named above. If you are not
> the intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> message in error and that any review, disclosure, copying, distribution or
> use of the contents of this message is strictly prohibited. If you have
> received this message in error, please destroy it immediately and notify
> Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  ------------------------------
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100916/2cb35b7b/attachment.html>


More information about the Snort-users mailing list