[Snort-users] Snort CPU consumptions

waldo kitty wkitty42 at ...14940...
Wed Jan 8 20:26:38 EST 2014

On 1/8/2014 1:01 PM, Patrick Mullen wrote:
> Hello!
> This is a good question, and the answer may not be what you expect at first.
> The "problem" is that snort checks the port LAST*, so that rule would, in fact,
> be seen as a poor performer.  The reason we check the port last is because we
> found that with properly written rules, the port check would almost always
> succeed.  Early versions of snort checked ports first and it was actually slower
> overall this way.
> It's worth noting that your example rule would be a poor performer regardless of
> the pcre used because it doesn't have a content match, which means it would
> enter on EVERY packet, especially since you also didn't include a "flow"
> option.

so one answer to tuning this rule would be to

   1. include a content match
   2. include a flow direction

but looking at that PCRE, i don't see where it is any more helpful than a simply 
"any any -> any any" type rule :?

> All rules should have a good content match that will help snort know if
> it should bother evaluating any of the rule options and a flow option to further
> reduce the number of packets it evaluates.
> (*) Rules that use some preprocessors, like http_inspect, in some ways
> effectively check the port first because http_inspect has its own rule option
> tree and that tree is only run on ports that are seen and/or configured as http,
> but in general you should never assume the port specification is going to
> provide any performance benefits.
> Thanks,
> ~Patrick
> On Wed, Jan 8, 2014 at 11:35 AM, Balasubramaniam Natarajan <bala150985 at ...11827...
> <mailto:bala150985 at ...11827...>> wrote:
>     Hi
>     Let us consider a snort signature with a CPU expensive PCRE match as show
>     below[1].
>     Would the PCRE consume a lot of CPU cycles if the entire traffic which this
>     snort saw is just port 80 to the HOME_NET ?
>     [1]
>     alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE";
>     pcre:"/.+/i"; rev:1; sid:100001)
>     My answer would be no ?  Is there any other contradicting answer to the same
>     ?  My doubt is due to the fact that I saw a peculiar case where the traffic
>     was not on port 888 and still this sort of a rule managed to bubble up the
>     worst performers in pref-profiling.

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list