Supercharging Snort
You can make the Snort IDS work harder for you--by getting Snort rulesets earlier and ensuring that they run efficiently.
June 14, 2005
Certainly you've heard of the open-source Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Snort. Maybe you're one of the countless people who use it. If so, you know it's a great tool with a huge amount of support from the user community. You might also know that Sourcefire, the company behind Snort, offers a commercial version of Snort and other network-protection tools. When I recently visited the Snort.org Web site, I learned that you can now subscribe to the Sourcefire Vulnerability Research Team's certified rulesets, which means that you can receive the latest rulesets five days sooner than those rulesets are released to the general public.
http://www.snort.org/rules/why_subscribe.html
Maybe you write your own rules in addition to using rulesets available at the Snort Web site. As with the source code for any application, the way a rule is written affects the performance of Snort. Poorly written rules take more time to process. A few extra microseconds of processing time here and there might not seem like a big deal, but when you consider an overall traffic load, those microseconds add up to full seconds really fast, and of course those seconds add up to minutes. The more efficient your rules, the more efficiently your IDS runs and the less likely that some sort of anomalous traffic-dropping occurs.
So how can you determine how efficient your rules are? An easy way is to use the new TurboSnortRules online benchmarking tool, sponsored by VigilantMinds. TurboSnortRules is a Web-based service that lets you enter a rule and test its performance on various versions of Snort against a set of control data. The test output shows you how fast your rule operates on those selected versions.
http://www.turbosnortrules.org
As an example of how effective the service can be, take a look at the two sets of test results listed at the URLs below. Both tested rules are designed to detect Yahoo! Messenger logons. As you'll see in the results, one rule operates much faster than the other.
http://www.turbosnortrules.org/test_results.php?test_id=156
http://www.turbosnortrules.org/test_results.php?test_id=157
For another example, look at the two sets of test results for rules designed to detect the Mytob Trojan horse (at the first two URLs below). One rule operates faster than the other, but in this case, the difference in speed isn't as dramatic as in the comparison of the Yahoo! Messenger rules. Even so, every little bit of speed improvement helps. One slow rule could cause Snort to begin dropping packets, which could jeopardize your overall security. See the third URL below too, which graphically illustrates the damage one poorly written rule can do.
http://www.turbosnortrules.org/test_results.php?test_id=160
http://www.turbosnortrules.org/test_results.php?test_id=159
http://www.turbosnortrules.org/whatis-speed.php
Also at the TurboSnortRules site, you'll find a searchable database for looking up rules that are either part of the Snort distribution or that have been submitted to the site by administrators for testing. The database is a good way to find rules you might need but don't want to write yourself, and the related performance data shows you how well those rules perform. Another excellent resource at the site is the Snort Performance Wiki, which has a lot of useful suggestions about how to make Snort run as fast as possible.
About the Author
You May Also Like