logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: Rule Load Formula: msg#00072

security.ids.snort.bleedingsnort

Subject: Re: Rule Load Formula

My math is not so good so... j/k

Isn't there a site somewhere where you can copy a rule into it and it
would test it for performance?

Wally

On 1/11/07, Martin Holste
<martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
It seems to me that it should be possible to create a somewhat simple
(or at least straightforward) formula for how much effort it takes to
process a given rule. It could be as simple as a unit of snort
processing so that rule comparisons can be made, though not translated
directly to actual CPU cycles or other measurable real-world events.

I'm not sure if benchmarking or code-analysis (or some combination)
would prove the most accurate. Obviously, different
compiling/architecture options affect Snort's performance, but it
seems to me that a theoretical performance formula is tangible based
on the source code. I also think that it would be fair to assume that
the ac-bnfa matching algorithm is used, since it is destined to be the
default.

So, to that end, do you think this mailling list could put together
something to start a list of values where an oink = 1 unit of Snort
processing load. Even estimated values would be helpful.

Matching Oinks
content x (per char)
pcre x (per char)
rawbytes x (per char)
uricontent x (per char)
isdataat x
byte_test x
byte_jump x
ftpbounce x
regex x (per char)

Modifiers Oinks
nocase x
depth x
offset x
distance x
within x

Non-payload Oinks
fragoffset x
ttl x
tos x
id x
ipopts x
fragbits x
dsize x
flags x
flow x
flowbits x
seq x
ack x
window x
itype x
icode x
icmp_id x
icmp_seq x
rpc x
ip_proto x
sameip x

We'd then need to figure out multipliers for single/all ports and IP
filters as well as other miscellaneous additions to the formula.

So, if something like this has been done, please point me to it, but I
was unable to Google anything like this, and I figured that with all
of the seasoned Snort vets on this list we ought to be able to come up
with something.

--Martin
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Rule Load Formula, Martin Holste
Next by Date:  Re: Rule Load Formula, Gentoo-Wally
Previous by Thread:  Rule Load Formula, Martin Holste
Next by Thread:  Re: Rule Load Formula, Gentoo-Wally
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation