[Snort-users] Snort rules maximum rules per file

Russ Combs rcombs at ...1935...
Fri Jul 15 14:05:01 EDT 2011


Hussein, thanks for reporting the problem.

I was able to recreate it using locally generated rules and have opened a
bug.

Don't have any additional suggestions at this point but will keep you
posted.

Russ

On Sat, Jul 2, 2011 at 4:02 AM, Hussein Bahaidarah <husseinb at ...11827...>wrote:

> Hello Martin,
>
> I know that snort is not designed to do that; but I have to use it for many
> reasons as my experiment dictates using IDS/IPS. I can not use Squid it is a
> proxy engined and does not serve my purpose.
>
> Thanks
>
> On Jul 1, 2011, at 9:56 PM, Martin Holste wrote:
>
> You are using the wrong tool for URL blocking.  You should be using
> squid for this with policy-based routing to transparently redirect all
> requests through squid as a transparent proxy.
>
> On Fri, Jul 1, 2011 at 1:12 PM, Hussein Bahaidarah <husseinb at ...11827...>
> wrote:
> > Hello,
> > no warning was displayed.
> > All rules are simple and of the following format:
> > alert tcp any any -> any 80 ( content:"URL"; react:; sid:1; )
> > The content is changed on every rule which is basically a URL and the SID
> is
> > incremented from 1 to 942099
> > My system has 4GB memory. Before using snort 600MB is used and after
> snort
> > full memory is utilized. That is on 2.9.0.5. Now, I have switched to
> Version
> > 2.9.1_beta as the "react" option was not firing on multiple rules.
> > I am testing snort with IXIA; but the result are not good as it seems
> that I
> > am not configuring Snort in the right way. I need to achieve blocking for
> a
> > big number of URL's with snort. Do you have any recommendations in this
> > regards to tweak and optimize snort performance.
> > Thanks,
> > On Jun 29, 2011, at 7:52 PM, Russ Combs wrote:
> > We have kicked this around internally, and don't have a simple
> configuration
> > suggestion to try so a few questions ...
> >
> > Did you see any warnings in the startup output when you loaded 942099
> rules?
> >
> > What kind of rules are these?  Are they all very simple rules or rules
> with
> > lots of options?
> >
> > How much memory does your system have?  How much is used before and after
> > starting Snort with all those rules?
> >
> > Thanks
> > Russ
> >
> > On Sun, Jun 26, 2011 at 1:04 PM, Hussein Bahaidarah <husseinb at ...11827...>
> > wrote:
> >>
> >> Hello,
> >> I have found after extensive testing that only 131008 rules only fires
> >> alert and action. Any rule after that will not take any action.
> >> On Jun 25, 2011, at 8:39 PM, Hussein Bahaidarah wrote:
> >> Hello,
> >> Is there a limit on the number of rules support by snort in general? and
> >> on per file basis? I have customized a file with 942099 rules and it
> took
> >> about 15 minutes to start snort; but no alerts or actions wer fired.
> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >> Initializing rule chains...
> >> 942099 Snort rules read
> >>     942099 detection rules
> >>     0 decoder rules
> >>     0 preprocessor rules
> >> 942099 Option Chains linked into 1 Chain Headers
> >> 0 Dynamic rules
> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >> +-------------------[Rule Port
> >> Counts]---------------------------------------
> >> |             tcp     udp    icmp      ip
> >> |     src       0       0       0       0
> >> |     dst  942099       0       0       0
> >> |     any       0       0       0       0
> >> |      nc       0       0       0       0
> >> |     s+d       0       0       0       0
> >>
> >>
> +----------------------------------------------------------------------------
> >> --
> >> Regards,
> >> Hussein Bahaidara
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> All of the data generated in your IT infrastructure is seriously
> valuable.
> >> Why? It contains a definitive record of application performance,
> security
> >> threats, fraudulent activity, and more. Splunk takes this data and makes
> >> sense of it. IT sense. And common sense.
> >> http://p.sf.net/sfu/splunk-d2d-c2
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please see http://www.snort.org/docs for documentation
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously
> valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please see http://www.snort.org/docs for documentation
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110715/7ce6e3ca/attachment.html>


More information about the Snort-users mailing list