Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compiling Snort Rules

Posted by timothy on from the sniffle dept.

Sergei Egorov writes "Good people at Fidelis Security Systems developed SNORTRAN, an optimizing compiler for Snort rules. By combining several compilation techniques, SNORTRAN is able to translate a set of Snort rules into a high-performance intrusion detection engine. SNORTRAN-generated engines are 4 to 6 times faster than Snort's own detection engine; this translates into 3 to 5 overall speedup factor for a complete Snort system (benchmarks are here)."

4 of 10 comments (clear)

  1. RealSecure 7.0 already does this by Krelnik · · Score: 3, Interesting
    FYI, they are not the first to run Snort rules faster than Snort does. RealSecure 7.0 by ISS already does this. I believe they use a similar technique internally, although I have no direct knowledge of it. RealSecure can also run rings around Snort performance-wise on off-the-shelf hardware, particularly with certain types of attacks going on.

    However, as explained in this white paper you might not even want to try to run Snort rules in RealSecure, because in many cases its own signatures are much more accurate. That's because RealSecure actually does protocol analysis, while Snort just matches patterns. See the paper for details.

    Full disclosure: I used to work at ISS and still own a bunch of stock in it. However I wouldn't post this for any of their products (some of them suck). RealSecure is one of their good ones.

    1. Re:RealSecure 7.0 already does this by Krelnik · · Score: 2

      Attention anonymous coward:

      Apples and oranges! RealSecure 6.5 and 7.0 are two completely different beasts. Add to that the pecularities of the Nokia platform and you're off in bananas now.

      RealSecure 7.0 is the first version to integrate the "BlackIce" technology ISS obtained when it bought Network ICE last year. RealSecure 6.5 on Nokia has none of that.

  2. Heh heh by greenhide · · Score: 5, Funny

    Yeah--yeah--compiling snort rules.

    Huh huh.

    --
    Karma: Chevy Kavalierma.
  3. Re:Snort ? by plcurechax · · Score: 3, Insightful

    Snort is an Network Intrusion Detection System (NIDS) which is open source, and fast.

    The rules are the signatures Snort uses to detect "attacks" or other activities that match a given rule.