[Snort-users] Snort CPU consumptions
wkitty42 at ...14940...
Wed Jan 8 20:26:38 EST 2014
On 1/8/2014 1:01 PM, Patrick Mullen wrote:
> This is a good question, and the answer may not be what you expect at first.
> The "problem" is that snort checks the port LAST*, so that rule would, in fact,
> be seen as a poor performer. The reason we check the port last is because we
> found that with properly written rules, the port check would almost always
> succeed. Early versions of snort checked ports first and it was actually slower
> overall this way.
> It's worth noting that your example rule would be a poor performer regardless of
> the pcre used because it doesn't have a content match, which means it would
> enter on EVERY packet, especially since you also didn't include a "flow"
so one answer to tuning this rule would be to
1. include a content match
2. include a flow direction
but looking at that PCRE, i don't see where it is any more helpful than a simply
"any any -> any any" type rule :?
> All rules should have a good content match that will help snort know if
> it should bother evaluating any of the rule options and a flow option to further
> reduce the number of packets it evaluates.
> (*) Rules that use some preprocessors, like http_inspect, in some ways
> effectively check the port first because http_inspect has its own rule option
> tree and that tree is only run on ports that are seen and/or configured as http,
> but in general you should never assume the port specification is going to
> provide any performance benefits.
> On Wed, Jan 8, 2014 at 11:35 AM, Balasubramaniam Natarajan <bala150985 at ...11827...
> <mailto:bala150985 at ...11827...>> wrote:
> Let us consider a snort signature with a CPU expensive PCRE match as show
> Would the PCRE consume a lot of CPU cycles if the entire traffic which this
> snort saw is just port 80 to the HOME_NET ?
> alert tcp any any -> $HOME_NET 888 (msg:"Most CPU expensive PCRE";
> pcre:"/.+/i"; rev:1; sid:100001)
> My answer would be no ? Is there any other contradicting answer to the same
> ? My doubt is due to the fact that I saw a peculiar case where the traffic
> was not on port 888 and still this sort of a rule managed to bubble up the
> worst performers in pref-profiling.
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users