Compiling Snort Rules - Slashdot

Catch up on stories from the past week (and beyond) at the Slashdot story archive

×

Compiling Snort Rules 10

Posted by timothy on Monday October 07, 2002 @03:45PM from the sniffle dept.

Sergei Egorov writes "Good people at Fidelis Security Systems developed SNORTRAN, an optimizing compiler for Snort rules. By combining several compilation techniques, SNORTRAN is able to translate a set of Snort rules into a high-performance intrusion detection engine. SNORTRAN-generated engines are 4 to 6 times faster than Snort's own detection engine; this translates into 3 to 5 overall speedup factor for a complete Snort system (benchmarks are here)."

This discussion has been archived. No new comments can be posted.

Compiling Snort Rules

Load All Comments

Search 10 Comments Log In/Create an Account

Comments Filter:

- Re:Snort ? (Score:3, Insightful)
  
  by plcurechax ( 247883 ) writes:
  
  Snort [snort.org] is an Network Intrusion Detection System (NIDS) which is open source, and fast.
  
  The rules are the signatures Snort uses to detect "attacks" or other activities that match a given rule.
RealSecure 7.0 already does this (Score:3, Interesting)

by Krelnik ( 69751 ) writes: <timfarley AT mindspring DOT com> on Monday October 07, 2002 @04:42PM (#4405678) Homepage Journal

FYI, they are not the first to run Snort rules faster than Snort does. RealSecure 7.0 [iss.net] by ISS already does this. I believe they use a similar technique internally, although I have no direct knowledge of it. RealSecure can also run rings around Snort performance-wise on off-the-shelf hardware, particularly with certain types of attacks going on.
However, as explained in this white paper [iss.net] you might not even want to try to run Snort rules in RealSecure, because in many cases its own signatures are much more accurate. That's because RealSecure actually does protocol analysis, while Snort just matches patterns. See the paper for details.
Full disclosure: I used to work at ISS [iss.net] and still own a bunch of stock in it. However I wouldn't post this for any of their products (some of them suck). RealSecure is one of their good ones.

Share
twitter facebook
- - Re:RealSecure 7.0 already does this (Score:2)
    
    by Krelnik ( 69751 ) writes:
    
    Attention anonymous coward:
    Apples and oranges! RealSecure 6.5 and 7.0 are two completely different beasts. Add to that the pecularities of the Nokia platform and you're off in bananas now.
    RealSecure 7.0 is the first version to integrate the "BlackIce" technology ISS obtained when it bought Network ICE last year. RealSecure 6.5 on Nokia has none of that.
Heh heh (Score:5, Funny)

by greenhide ( 597777 ) writes: <jordanslashdot@c ... m minus language> on Monday October 07, 2002 @05:23PM (#4406018)

Yeah--yeah--compiling snort rules.

Huh huh.

Share
twitter facebook
prelude portsentry (Score:1)

by nocomment ( 239368 ) writes:

So how does it compare with prelude and portsentry?
My understanding is that snort is only good at single networks, anything more than that you will want prelude. Any truth to this? ***this was on a prelude irc channel*** What's the real deal slasdot-istas?
- Snort rule #2 (Score:1)
  
  by castlan ( 255560 ) writes:
  
  Don't Sneeze!
  
  If you have to sneeze, hold your damn nose, and look the other way.
  
  ---
  
  Excuse my while I powder my nose.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

321 commentsShould a Variable's Type Come After Its Name?
293 commentsAre Scrums a Cancer?
258 commentsC++ Creator Rebuts White House Warning
228 commentsWhite House Urges Devs To Switch To Memory-Safe Programming Languages
226 comments34% of AP CS Students Couldn't Solve This Java-Based 2D Array Question

Never ask two questions in a business letter. The reply will discuss the one you are least interested, and say nothing about the other.