Snort mailing list archives

Re: SO rules vs regular rules

From: Brian Caswell <bmc () snort org>
Date: Mon, 1 Feb 2010 13:57:31 -0500

On Thu, Jan 14, 2010 at 3:10 PM, Mike Cox <mike.cox52 () gmail com> wrote:

Lately I have considered taking some of the poorer performing snort
rules and making them shared object rules.  The purpose of this would
be to improve performance but my question is, will it?  Are there any
performance metrics associated with SO rules vs regular rules?


It depends.

More often than not, poor performing rules will perform poorly in
textual and in shared object form.  Changing how the rule gets loaded
into Snort will not correct most flaws in the implementation of rules.

If you are planning on using the converter published at
labs.snort.org, you will not see any performance gain for straight
translation of rules to shared objects.  In all practical terms, the
detection from the shared object rules using the output the converter
are exactly the same as textual rules.  Prior to 2.8.5, the straight
translation of text rules to SO rules was a performance loss.  In
prior releases, using SO rules was a large performance loss.  Since
2.8.5, rules converted to SO rules using the translator should be
roughly equivalent in performance.

Using the current version of snort, rewriting some rules using
hand-tuned C can show an increase in performance.

However, due to the rule tree optimizations done in recent versions of
Snort, hand-tuned C rules could be worse performing than the original
text rules.

Again, it depends.  If you want to squeeze every bit of performance
out of your rules, you need to know your environment, the rules you
are writing and how they are optimized together within Snort, your
network traffic profile, etc.

Or... you could just let Snort's internal optimizations work for your
benefit, of which it does a decent job in most situations.

Brian

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
  - Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
  - Re: SO rules vs regular rules Patrick Mullen (Feb 03)
    - Re: SO rules vs regular rules Mike Cox (Feb 03)
  - http rule is not always triggering Sven Wurth (Feb 16)
    - Re: http rule is not always triggering JJ Cummings (Feb 16)
    - Re: http rule is not always triggering Sven Wurth (Feb 17)