Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compiling Snort Rules

Posted by timothy on from the sniffle dept.

Sergei Egorov writes "Good people at Fidelis Security Systems developed SNORTRAN, an optimizing compiler for Snort rules. By combining several compilation techniques, SNORTRAN is able to translate a set of Snort rules into a high-performance intrusion detection engine. SNORTRAN-generated engines are 4 to 6 times faster than Snort's own detection engine; this translates into 3 to 5 overall speedup factor for a complete Snort system (benchmarks are here)."

10 comments

  1. Snort ? by mystran · · Score: 0, Flamebait

    Whatta heck is snort anyway ?

    --
    Software should be free as in speech, but if we also get some free beer, all the better.
    1. Re:Snort ? by plcurechax · · Score: 3, Insightful

      Snort is an Network Intrusion Detection System (NIDS) which is open source, and fast.

      The rules are the signatures Snort uses to detect "attacks" or other activities that match a given rule.

  2. RealSecure 7.0 already does this by Krelnik · · Score: 3, Interesting
    FYI, they are not the first to run Snort rules faster than Snort does. RealSecure 7.0 by ISS already does this. I believe they use a similar technique internally, although I have no direct knowledge of it. RealSecure can also run rings around Snort performance-wise on off-the-shelf hardware, particularly with certain types of attacks going on.

    However, as explained in this white paper you might not even want to try to run Snort rules in RealSecure, because in many cases its own signatures are much more accurate. That's because RealSecure actually does protocol analysis, while Snort just matches patterns. See the paper for details.

    Full disclosure: I used to work at ISS and still own a bunch of stock in it. However I wouldn't post this for any of their products (some of them suck). RealSecure is one of their good ones.

    1. Re:RealSecure 7.0 already does this by Anonymous Coward · · Score: 0

      Attention corporate shill:

      Your IDS sucks. Here is the proof:

      On the sensor side, Nokia's hardware-based security appliance runs RealSecure 6.5 from Internet Security Systems (ISS). The volume of traffic on the Opus One network caused the IP530's RealSecure process to terminate roughly once a day until Nokia supplied a patch.

    2. Re:RealSecure 7.0 already does this by Krelnik · · Score: 2

      Attention anonymous coward:

      Apples and oranges! RealSecure 6.5 and 7.0 are two completely different beasts. Add to that the pecularities of the Nokia platform and you're off in bananas now.

      RealSecure 7.0 is the first version to integrate the "BlackIce" technology ISS obtained when it bought Network ICE last year. RealSecure 6.5 on Nokia has none of that.

  3. Heh heh by greenhide · · Score: 5, Funny

    Yeah--yeah--compiling snort rules.

    Huh huh.

    --
    Karma: Chevy Kavalierma.
  4. prelude portsentry by nocomment · · Score: 1

    So how does it compare with prelude and portsentry?
    My understanding is that snort is only good at single networks, anything more than that you will want prelude. Any truth to this? ***this was on a prelude irc channel*** What's the real deal slasdot-istas?

    --
    /* oops I accidentally made a comment, sorry */
    /* http://allyourbasearebelongto.us */
  5. Snort rule #1 by Anonymous Coward · · Score: 0

    One line, motherfucker. ONE FUCKING LINE.

    Bitch was trying to snort the whole fucking mirror.

  6. Snort rule #2 by castlan · · Score: 1

    Don't Sneeze!

    If you have to sneeze, hold your damn nose, and look the other way.

    ---

    Excuse my while I powder my nose.