logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: Rule Load Formula: msg#00075

security.ids.snort.bleedingsnort

Subject: Re: Rule Load Formula

Yes, I've seen that site, but I was unsatisfied with having to rely on
their results and with the lack of an API (for lack of a better term).
It seems worth it to me to figure out exactly what it takes (perhaps
down to count/size of memcpy's, etc?) for a rule op.

Applications of this formula would be mainly in scripting to run
historical reports on rule matches per system load. Or, more
importantly for those of us who are always redlining our boxes,
answering questions like "how many pps will I drop with the addition
of this rule?" or "what is the rule capacity of this given setup?" I
think the latter has been more of an issue lately, especially when you
look at the exponential growth of the rule sets.

Making truly informed decisions about the entirety of the rule set
seems like a worthwhile endeavor.

On 1/11/07, Matt Jonkman
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> wrote:
Turbosnort.com is probably what you were thinking about. By the vigilant
minds guys.

Load has to consider traffic patterns, which this doesn't. Although it
is *some* measure of performance. I use them here and there when unsure.

Matt

Gentoo-Wally wrote:
> My math is not so good so... j/k
>
> Isn't there a site somewhere where you can copy a rule into it and it
> would test it for performance?
>
> Wally
>
> On 1/11/07, Martin Holste
<martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
>> It seems to me that it should be possible to create a somewhat simple
>> (or at least straightforward) formula for how much effort it takes to
>> process a given rule. It could be as simple as a unit of snort
>> processing so that rule comparisons can be made, though not translated
>> directly to actual CPU cycles or other measurable real-world events.
>>
>> I'm not sure if benchmarking or code-analysis (or some combination)
>> would prove the most accurate. Obviously, different
>> compiling/architecture options affect Snort's performance, but it
>> seems to me that a theoretical performance formula is tangible based
>> on the source code. I also think that it would be fair to assume that
>> the ac-bnfa matching algorithm is used, since it is destined to be the
>> default.
>>
>> So, to that end, do you think this mailling list could put together
>> something to start a list of values where an oink = 1 unit of Snort
>> processing load. Even estimated values would be helpful.
>>
>> Matching Oinks
>> content x (per char)
>> pcre x (per char)
>> rawbytes x (per char)
>> uricontent x (per char)
>> isdataat x
>> byte_test x
>> byte_jump x
>> ftpbounce x
>> regex x (per char)
>>
>> Modifiers Oinks
>> nocase x
>> depth x
>> offset x
>> distance x
>> within x
>>
>> Non-payload Oinks
>> fragoffset x
>> ttl x
>> tos x
>> id x
>> ipopts x
>> fragbits x
>> dsize x
>> flags x
>> flow x
>> flowbits x
>> seq x
>> ack x
>> window x
>> itype x
>> icode x
>> icmp_id x
>> icmp_seq x
>> rpc x
>> ip_proto x
>> sameip x
>>
>> We'd then need to figure out multipliers for single/all ports and IP
>> filters as well as other miscellaneous additions to the formula.
>>
>> So, if something like this has been done, please point me to it, but I
>> was unable to Google anything like this, and I figured that with all
>> of the seasoned Snort vets on this list we ought to be able to come up
>> with something.
>>
>> --Martin
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Rule Load Formula, Matt Jonkman
Next by Date:  Re: Rule Load Formula, Matt Jonkman
Previous by Thread:  Re: Rule Load Formula, Matt Jonkman
Next by Thread:  Re: Rule Load Formula, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation