Re: Rule Load Formula

My math is not so good so... j/k

Isn't there a site somewhere where you can copy a rule into it and it
would test it for performance?

Wally

On 1/11/07, Martin Holste 
<martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
> It seems to me that it should be possible to create a somewhat simple
> (or at least straightforward) formula for how much effort it takes to
> process a given rule.  It could be as simple as a unit of snort
> processing so that rule comparisons can be made, though not translated
> directly to actual CPU cycles or other measurable real-world events.
>
> I'm not sure if benchmarking or code-analysis (or some combination)
> would prove the most accurate.  Obviously, different
> compiling/architecture options affect Snort's performance, but it
> seems to me that a theoretical performance formula is tangible based
> on the source code.  I also think that it would be fair to assume that
> the ac-bnfa matching algorithm is used, since it is destined to be the
> default.
>
> So, to that end, do you think this mailling list could put together
> something to start a list of values where an oink = 1 unit of Snort
> processing load.  Even estimated values would be helpful.
>
> Matching    Oinks
> content        x (per char)
> pcre        x (per char)
> rawbytes    x (per char)
> uricontent    x (per char)
> isdataat    x
> byte_test    x
> byte_jump    x
> ftpbounce    x
> regex        x (per char)
>
> Modifiers    Oinks
> nocase        x
> depth        x
> offset        x
> distance    x
> within        x
>
> Non-payload    Oinks
> fragoffset    x
> ttl        x
> tos        x
> id        x
> ipopts        x
> fragbits    x
> dsize        x
> flags        x
> flow        x
> flowbits    x
> seq        x
> ack        x
> window        x
> itype        x
> icode        x
> icmp_id        x
> icmp_seq    x
> rpc        x
> ip_proto    x
> sameip        x
>
> We'd then need to figure out multipliers for single/all ports and IP
> filters as well as other miscellaneous additions to the formula.
>
> So, if something like this has been done, please point me to it, but I
> was unable to Google anything like this, and I figured that with all
> of the seasoned Snort vets on this list we ought to be able to come up
> with something.
>
> --Martin
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs