[Snort-users] Snort rules maximum rules per file

Hussein Bahaidarah husseinb at ...11827...
Sat Jul 2 04:02:38 EDT 2011


Hello Martin,

I know that snort is not designed to do that; but I have to use it for many reasons as my experiment dictates using IDS/IPS. I can not use Squid it is a proxy engined and does not serve my purpose. 

Thanks

On Jul 1, 2011, at 9:56 PM, Martin Holste wrote:

You are using the wrong tool for URL blocking.  You should be using
squid for this with policy-based routing to transparently redirect all
requests through squid as a transparent proxy.

On Fri, Jul 1, 2011 at 1:12 PM, Hussein Bahaidarah <husseinb at ...11827...> wrote:
> Hello,
> no warning was displayed.
> All rules are simple and of the following format:
> alert tcp any any -> any 80 ( content:"URL"; react:; sid:1; )
> The content is changed on every rule which is basically a URL and the SID is
> incremented from 1 to 942099
> My system has 4GB memory. Before using snort 600MB is used and after snort
> full memory is utilized. That is on 2.9.0.5. Now, I have switched to Version
> 2.9.1_beta as the "react" option was not firing on multiple rules.
> I am testing snort with IXIA; but the result are not good as it seems that I
> am not configuring Snort in the right way. I need to achieve blocking for a
> big number of URL's with snort. Do you have any recommendations in this
> regards to tweak and optimize snort performance.
> Thanks,
> On Jun 29, 2011, at 7:52 PM, Russ Combs wrote:
> We have kicked this around internally, and don't have a simple configuration
> suggestion to try so a few questions ...
> 
> Did you see any warnings in the startup output when you loaded 942099 rules?
> 
> What kind of rules are these?  Are they all very simple rules or rules with
> lots of options?
> 
> How much memory does your system have?  How much is used before and after
> starting Snort with all those rules?
> 
> Thanks
> Russ
> 
> On Sun, Jun 26, 2011 at 1:04 PM, Hussein Bahaidarah <husseinb at ...11827...>
> wrote:
>> 
>> Hello,
>> I have found after extensive testing that only 131008 rules only fires
>> alert and action. Any rule after that will not take any action.
>> On Jun 25, 2011, at 8:39 PM, Hussein Bahaidarah wrote:
>> Hello,
>> Is there a limit on the number of rules support by snort in general? and
>> on per file basis? I have customized a file with 942099 rules and it took
>> about 15 minutes to start snort; but no alerts or actions wer fired.
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> 942099 Snort rules read
>>     942099 detection rules
>>     0 decoder rules
>>     0 preprocessor rules
>> 942099 Option Chains linked into 1 Chain Headers
>> 0 Dynamic rules
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> +-------------------[Rule Port
>> Counts]---------------------------------------
>> |             tcp     udp    icmp      ip
>> |     src       0       0       0       0
>> |     dst  942099       0       0       0
>> |     any       0       0       0       0
>> |      nc       0       0       0       0
>> |     s+d       0       0       0       0
>> 
>> +----------------------------------------------------------------------------
>> --
>> Regards,
>> Hussein Bahaidara
>> 
>> 
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
> 
> 
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation
> 





More information about the Snort-users mailing list