Snort IP_List Performance

For a long time now we’ve been using a modification to snort that allows for more efficient processing of rules that match lists of IP addresses, but we’ve only recently taken a hard look at it’s performance properties. 

In general, we rely on BotHunter for reputation alerts in snort and turn off the poorer performing reputation sets from other signature providers. However, we’ve had customers who have their own rule sets that follow the same method of matching long lists of IP addresses and have run into performance issues… so we broke out some perl scripts and ran some tests!

After the initial tests using tcpreplay showed a huge difference in the drop rate between the two methods, we decided to run snort directly against a 5GB pcap.

First using the standard reputation rule sets from ET Pro (1,365 rules which contain primarily long lists of IP addresses): 

  • speed: 42605 packets per second
  • packet processing time: 210 seconds

Then we wrote up a script which would convert those rule files into a much smaller set of rules which reference the iplist component and ran the exact same trace:

  • speed: 218221 packets per second
  • packet processing time: 41 seconds

that’s a 512% increase in processing speed / throughput while generating the same alerts! no wonder the smart folks at SRI cooked this up for processing their reputation feeds. 

The conversion script for list-of-ip type rules is still in early testing, and you’d have to be running our custom version of snort ( which is bundled with our sensor software https://nsm.metaflows.com/linux.zip ) or the snort that comes with BotHunter, but if you want to try this out then get in touch with us and we’ll be happy to work with you.