Yes, I've seen that site, but I was unsatisfied with having to rely on
their results and with the lack of an API (for lack of a better term).
It seems worth it to me to figure out exactly what it takes (perhaps
down to count/size of memcpy's, etc?) for a rule op.
Applications of this formula would be mainly in scripting to run
historical reports on rule matches per system load. Or, more
importantly for those of us who are always redlining our boxes,
answering questions like "how many pps will I drop with the addition
of this rule?" or "what is the rule capacity of this given setup?" I
think the latter has been more of an issue lately, especially when you
look at the exponential growth of the rule sets.
Making truly informed decisions about the entirety of the rule set
seems like a worthwhile endeavor.
On 1/11/07, Matt Jonkman
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> wrote:
Turbosnort.com is probably what you were thinking about. By the vigilant
minds guys.
Load has to consider traffic patterns, which this doesn't. Although it
is *some* measure of performance. I use them here and there when unsure.
Matt
Gentoo-Wally wrote:
> My math is not so good so... j/k
>
> Isn't there a site somewhere where you can copy a rule into it and it
> would test it for performance?
>
> Wally
>
> On 1/11/07, Martin Holste
<martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
>> It seems to me that it should be possible to create a somewhat simple
>> (or at least straightforward) formula for how much effort it takes to
>> process a given rule. It could be as simple as a unit of snort
>> processing so that rule comparisons can be made, though not translated
>> directly to actual CPU cycles or other measurable real-world events.
>>
>> I'm not sure if benchmarking or code-analysis (or some combination)
>> would prove the most accurate. Obviously, different
>> compiling/architecture options affect Snort's performance, but it
>> seems to me that a theoretical performance formula is tangible based
>> on the source code. I also think that it would be fair to assume that
>> the ac-bnfa matching algorithm is used, since it is destined to be the
>> default.
>>
>> So, to that end, do you think this mailling list could put together
>> something to start a list of values where an oink = 1 unit of Snort
>> processing load. Even estimated values would be helpful.
>>
>> Matching Oinks
>> content x (per char)
>> pcre x (per char)
>> rawbytes x (per char)
>> uricontent x (per char)
>> isdataat x
>> byte_test x
>> byte_jump x
>> ftpbounce x
>> regex x (per char)
>>
>> Modifiers Oinks
>> nocase x
>> depth x
>> offset x
>> distance x
>> within x
>>
>> Non-payload Oinks
>> fragoffset x
>> ttl x
>> tos x
>> id x
>> ipopts x
>> fragbits x
>> dsize x
>> flags x
>> flow x
>> flowbits x
>> seq x
>> ack x
>> window x
>> itype x
>> icode x
>> icmp_id x
>> icmp_seq x
>> rpc x
>> ip_proto x
>> sameip x
>>
>> We'd then need to figure out multipliers for single/all ports and IP
>> filters as well as other miscellaneous additions to the formula.
>>
>> So, if something like this has been done, please point me to it, but I
>> was unable to Google anything like this, and I figured that with all
>> of the seasoned Snort vets on this list we ought to be able to come up
>> with something.
>>
>> --Martin
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
