[Emerging-Sigs] Performance of Rules 2016016 & 2016017

Christopher Granger chrisgrangerx at gmail.com
Mon Dec 17 09:46:37 HAST 2012


Thank you all for the feedback!

-Chris

On Mon, Dec 17, 2012 at 2:45 PM, Joel Esler <jesler at sourcefire.com> wrote:

> I think the performance on those rules is going to be subjective to how
> much DNS traffic you are dealing with.  Obviously the performance intensive
> piece being here:
>
> pcre:"/^[^\x00]+?\x00/R"
>
>
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Dec 17, 2012, at 2:40 PM, Martin Holste <mcholste at gmail.com> wrote:
>
> We haven't seen any load issues with them.  Our DNS traffic is probably
> around 2000-3000 packets/sec.
>
>
> On Mon, Dec 17, 2012 at 1:27 PM, Christopher Granger <
> chrisgrangerx at gmail.com> wrote:
>
>> Hi ET,
>>
>> Just due diligence regarding enabling these rules on potentially
>> performance-sensitive Sourcefire devices:
>>
>> alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS
>> Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|";
>> depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00
>> 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src,
>> seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)
>>
>> alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS
>> Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|";
>> depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00
>> 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src,
>> seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;)
>>
>> Has anyone noticed issues with performance? I wouldn't think there would
>> be, based on the fast_pattern/content matches.
>>
>> Thanks,
>> -Chris
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/670b0ad3/attachment.html>


More information about the Emerging-sigs mailing list