Home page logo
/

snort logo Snort mailing list archives

Re: Snort 2.8.6 performance
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 8 Oct 2010 17:18:22 -0600

Hi,

Yes, I just used the default configuration of the rule performance monitoring and am sorting by avg_ticks.  I'll check 
those other rules out.

After disabling 4677, snort process utilization dropped to around 20-30%, and dropped packets are 0% again.  Throughput 
(according to snort) is above 100mb/s.

________________________________
From: Matt Olney [mailto:molney () sourcefire com]
Sent: Friday, October 08, 2010 3:50 PM
To: Jefferson, Shawn
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort 2.8.6 performance

From a performance perspective, there are three rules we need to address:

4677, 4676 and 17468.  Those three rules address significantly older bugs, and I'd recommend you disable them unless 
you need them for known vulnerabilities.  A fix to those three bugs will be in the next rule release.

I know you have 10 rules on your list, but a majority of them have a very low check number.  These three have a high 
microsecond evaluation time and a large number of checks.

Matt
On Fri, Oct 8, 2010 at 5:58 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
Hi,

My suspicion is that this is rule related somehow... I turned off the so_rules and that didn't make any difference, and 
I also turned off the attribute table just for fun, since the one I load is pretty big.

Nothing... so I reconfigured/recompiled to allow rule performance checks.

timestamp: 1286574608
Rule Profile Statistics (worst 10 rules)
==========================================================
  Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
  ===      === === ===     ======   =======    ======           =========  =========  ========= ============
    1     4677   1   3     100664         0         0           615540707     6114.8        0.0       6114.8
    2    13272   1   3          6         0         0               17891     2981.9        0.0       2981.9
    3    11324   1   4         21         0         0               39429     1877.6        0.0       1877.6
    4    17468   1   1      33163         0         0            44821199     1351.5        0.0       1351.5
    5    10504   1   2         68         0         0                8006      117.7        0.0        117.7
    6    10505   1   2         68         0         0                8002      117.7        0.0        117.7
    7     4676   1   3      33076         0         0             1931555       58.4        0.0         58.4
    8    17666   1   1        594         0         0               13802       23.2        0.0         23.2
    9    17495   1   1          2         0         0                  42       21.2        0.0         21.2
   10    15910   1   5        232         0         0                3869       16.7        0.0         16.7

I commented out rule 4677 and am running snort on my sensor again to see if that will help.

Anybody know anything about this rule and if it may have recently changed? There's a very non-unique content match: 
"GET" and then a PCRE...

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net<mailto:wkitty42 () windstream net>]
Sent: Friday, October 08, 2010 12:36 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort 2.8.6 performance

On 10/8/2010 13:19, Jefferson, Shawn wrote:
Has anyone else noticed performance (dropped packets), really take a dive today?
  I'm missing about 20-30% of packets now... on a sensor that was running great at
about 100-200 mb/s until just today/last night. According to my snort stats
there isn't anything unusual as far as stream or frag events go, but the snort
process is using 100% CPU today. I'm using the VRT paid subscription rules.

please quote back your "snort -V" output... your config may also be needed...
possible you found a bug or some way that someone is trying to evade IDS several
other factors...




------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault