Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 090823.html (Request Expert snort.org Support)

RE: [Snort-devel] Benchmark pass rules vs rule mods?

From: Erek Adams <erek(at)snort.org>
Date: Fri Sep 05 2003 - 14:12:27 EDT

On Fri, 5 Sep 2003, Mcclure Gammon wrote:

> Thanks Erek, Understand and I do use BPF's. But that begs the question.
> Let's assume I've got multiple class C's on my DMZs with a whole lot of
> "interestingly coded" apps running out there. I find one box triggers
> multiple IIS rules (during normal processing), another trips other
> rules, etc. By the time I'm done with my BPF, it's longer than the rule
> sets ;-)

True... That's where the -F flag comes in handy. :) If you need, you can write a lot of BPF filters and stick them in a file. Then load the file from the command line using -F <file>. That's useful if you need some really wierd filters that don't lend themselves well to adding on the command line.

> So, back to my original question?

Well... It really all depends. Consider this:

  var HOME_NET [10.10.10.0/24,10.10.11.0/24]

vs.

Do you need help?X

  var HOME_NET [10.10.10.0/23]

Now, since they are equal it would seem like they take the same amount of time/parsing. Not true. The first example takes longer to parse on a rule. You've got two separate nets to check, so Snort checks one net and then the other. In the second, you've only got one net. Sorta like "Is A a member of B or C?" vs "Is A a member of B?"

Another factor to consider: Each 'check' you add on a rule the more parsing/inspection that Snort has to do. For example:

        pass tcp $SMTP_SERVERS 25 -> any any;

vs. 

	pass tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Passing SMTP
	rcpt to sed command attempt"; flow:to_server,established; content:"rcpt
	to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0;
	classtype:attempted-admin; sid:1000663; rev:6;)

(cloned from SID 663)

You incur extra overhead with the flow, content distance, etc...

I guess a good rule of thumb would be 'keep it short and simple'. The simpler your rules are, the less of a strain on Snort they will be. Now, I'm taking a guess, but if you're running the default ruleset, you're going to have a pain in a production environment. If not, ignore the rest. ;-) The default rules are just 'examples' of what/how you can do things. They are not necessarily tuned well for your nets. If you haven't tuned them down, I'd suggest doing that. You might want to consider adding a set of 'anomaly' rules as well. IOW, your webservers should never make an outbound connection to anything but your DNS server on port 53 right? You should only have SSH allowed from your management net, and not the outside world. If you break it down and think about the function of each box you can start to draw a picture of what would be 'odd or wierd' for each. Write rules that fire off for that, and you can cut down a lot on your rules, but still have a heads up that something is wrong.

Do you need more help?X

Hope that helps!


Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Sep 5 14:26:12 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library