Re: Rule Load Formula

I think this is what i was thinking of...

http://www.turbosnort.org/index.php

not sure their definition of "speed" equates to actual performance.

Wally

On 1/11/07, Gentoo-Wally <gentoowally-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> 
wrote:
> My math is not so good so... j/k
>
> Isn't there a site somewhere where you can copy a rule into it and it
> would test it for performance?
>
> Wally
>
> On 1/11/07, Martin Holste 
> <martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
> > It seems to me that it should be possible to create a somewhat simple
> > (or at least straightforward) formula for how much effort it takes to
> > process a given rule.  It could be as simple as a unit of snort
> > processing so that rule comparisons can be made, though not translated
> > directly to actual CPU cycles or other measurable real-world events.
> >
> > I'm not sure if benchmarking or code-analysis (or some combination)
> > would prove the most accurate.  Obviously, different
> > compiling/architecture options affect Snort's performance, but it
> > seems to me that a theoretical performance formula is tangible based
> > on the source code.  I also think that it would be fair to assume that
> > the ac-bnfa matching algorithm is used, since it is destined to be the
> > default.
> >
> > So, to that end, do you think this mailling list could put together
> > something to start a list of values where an oink = 1 unit of Snort
> > processing load.  Even estimated values would be helpful.
> >
> > Matching    Oinks
> > content        x (per char)
> > pcre        x (per char)
> > rawbytes    x (per char)
> > uricontent    x (per char)
> > isdataat    x
> > byte_test    x
> > byte_jump    x
> > ftpbounce    x
> > regex        x (per char)
> >
> > Modifiers    Oinks
> > nocase        x
> > depth        x
> > offset        x
> > distance    x
> > within        x
> >
> > Non-payload    Oinks
> > fragoffset    x
> > ttl        x
> > tos        x
> > id        x
> > ipopts        x
> > fragbits    x
> > dsize        x
> > flags        x
> > flow        x
> > flowbits    x
> > seq        x
> > ack        x
> > window        x
> > itype        x
> > icode        x
> > icmp_id        x
> > icmp_seq    x
> > rpc        x
> > ip_proto    x
> > sameip        x
> >
> > We'd then need to figure out multipliers for single/all ports and IP
> > filters as well as other miscellaneous additions to the formula.
> >
> > So, if something like this has been done, please point me to it, but I
> > was unable to Google anything like this, and I figured that with all
> > of the seasoned Snort vets on this list we ought to be able to come up
> > with something.
> >
> > --Martin
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> >