[Emerging-Sigs] Performance of Rules 2016016 & 2016017

Joel Esler jesler at sourcefire.com
Mon Dec 17 09:45:24 HAST 2012


I think the performance on those rules is going to be subjective to how much DNS traffic you are dealing with.  Obviously the performance intensive piece being here:

> pcre:"/^[^\x00]+?\x00/R"


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 17, 2012, at 2:40 PM, Martin Holste <mcholste at gmail.com> wrote:

> We haven't seen any load issues with them.  Our DNS traffic is probably around 2000-3000 packets/sec.
> 
> 
> On Mon, Dec 17, 2012 at 1:27 PM, Christopher Granger <chrisgrangerx at gmail.com> wrote:
> Hi ET,
> 
> Just due diligence regarding enabling these rules on potentially performance-sensitive Sourcefire devices:
> 
> alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)
> 
> alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;)
> 
> Has anyone noticed issues with performance? I wouldn't think there would be, based on the fast_pattern/content matches.
> 
> Thanks,
> -Chris
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/ef80a84a/attachment-0001.html>


More information about the Emerging-sigs mailing list