[Emerging-Sigs] Performance of Rules 2016016 & 2016017

Martin Holste mcholste at gmail.com
Mon Dec 17 09:40:18 HAST 2012


We haven't seen any load issues with them.  Our DNS traffic is probably
around 2000-3000 packets/sec.


On Mon, Dec 17, 2012 at 1:27 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:

> Hi ET,
>
> Just due diligence regarding enabling these rules on potentially
> performance-sensitive Sourcefire devices:
>
> alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS
> Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|";
> depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00
> 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src,
> seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)
>
> alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS
> Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|";
> depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00
> 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src,
> seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;)
>
> Has anyone noticed issues with performance? I wouldn't think there would
> be, based on the fast_pattern/content matches.
>
> Thanks,
> -Chris
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/daed2849/attachment.html>


More information about the Emerging-sigs mailing list