[Snort-users] Snort CPU consumptions

Balasubramaniam Natarajan bala150985 at ...11827...
Wed Jan 8 22:44:57 EST 2014

On Wed, Jan 8, 2014 at 11:31 PM, Patrick Mullen <pmullen at ...1935...>wrote:

> Hello!
> This is a good question, and the answer may not be what you expect at
> first.
> The "problem" is that snort checks the port LAST*, so that rule would, in
> fact, be seen as a poor performer.  The reason we check the port last is
> because we found that with properly written rules, the port check would
> almost always succeed.  Early versions of snort checked ports first and it
> was actually slower overall this way.

Wow superb this is the answer I was looking for :-),  If you have it at the
top of your head as to which version onward the port check was pushed to
LAST please key it in ?

> It's worth noting that your example rule would be a poor performer
> regardless of the pcre used because it doesn't have a content match, which
> means it would enter on EVERY packet, especially since you also didn't
> include a "flow" option.  All rules should have a good content match that
> will help snort know if it should bother evaluating any of the rule options
> and a flow option to further reduce the number of packets it evaluates.

The rule specified in my email trail is not the one I use in production.  I
created it as an example just to ensure that it looks like a worst
performer [?]

> (*) Rules that use some preprocessors, like http_inspect, in some ways
> effectively check the port first because http_inspect has its own rule
> option tree and that tree is only run on ports that are seen and/or
> configured as http, but in general you should never assume the port
> specification is going to provide any performance benefits.
> Thanks,
> ~Patrick
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT

Balasubramaniam Natarajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140109/48ccdcd6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 347.png
Type: image/png
Size: 635 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140109/48ccdcd6/attachment.png>

More information about the Snort-users mailing list