Performance Tuning Snort. Steve Sturges SANS Incident Detection Summit 9 December

Transcription

1 Performance Tuning Snort Steve Sturges SANS Incident Detection Summit 9 December

2 Agenda Goals of Performance Tuning Snort Techniques Perfmon Preprocessor Preprocessor Profiling Rule Profiling White papers Upcoming Snort Features Q&A 2

3 Goals of Performance Tuning Improve Snort throughput Higher MB/s Inspect traffic more efficiently Reduce Packet Latency Important when inline Lower per packet processing time Eliminate network hiccups 3

4 Perfmon Preprocessor Configuring Perfmon Printing to Console vs File File provides quicker output, but need to post-process CSV file Packet Count, Time Intervals, Exit Only Flow Data Breakdown of port and packet size distributions Look for High Port to High Port traffic Look for Heavy talkers/listeners 4

5 Perfmon Preprocessor (cont) Stats Categories Throughput CPU Usage Pattern Matching Stream Frag Understanding Flow Data Breakdown of port and packet size distributions Look for High Port to High Port traffic Look for Heavy talkers/listeners 5

6 Perfmon Preprocessor (cont) Throughput Stats Higher = better performance Increase by steps throughout CPU Usage Lower = better performance Decrease by steps throughout 6

7 Perfmon Preprocessor (cont) Pattern Matching Stats Lower = better performance Decrease by eliminating benign traffic from inspection Reduce number & size of TCP reassembled packets Reduce HTTP client & server flow depths Limit size of DCE/RPC reassembled packets Ignore encrypted traffic Ignore FTP data channel transfers Use of BPFs & Ignore Ports 7

8 Perfmon Preprocessor (cont) Stream Stats Cache Faults, Timeouts Increase number of sessions tracked Increase memcap Correctly set timeout TCP SYNs vs SYN/ACKs Snort performs best when seeing symmetric traffic Frag Stats Frag Faults, Frag Auto Deletes, Frag Timeouts Increase max_frags and memcap Use prealloc_memcap or prealloc_frags Correctly set timeout 8

9 Perfmon Preprocessor (cont) Flow Data Breakdown of port and packet size distributions Reduce number of packets included in TCP Reassembly Look for High Port to High Port traffic Look for Heavy talkers/listeners 9

10 Preprocessor Profiling Performance Breakdown of Snort s Phases Preprocessors Sub categories Detection Pattern Matching (MPSE) Rule Options (various option types) Output/Event Logging 10

11 Preprocessor Profiling (cont) Checks Reduce to improve performance Correctly configure preprocessor ports Ignore traffic as noted earlier Average per Check Reduce to improve performance Eliminate large blocks of data, correct configuration of TCP reassembly ports/services Eliminate unnecessary preprocessors based on rule set Eliminate unnecessary rules to help MPSE Use faster pattern matching algorithm 11

12 Rule Profiling Performance Breakdown of Individual Rules Rules as part of Snort s total time Overlap across rules with common detection options For rules within same group, place common options first and in same order Start with flow:established,<direction> Follow with common content options 12

13 Rule Profiling (cont) 13 Microseconds Reduce to improve individual rule performance Rule time vs Total Snort time Investigate if ratio is > 5% total Checks vs Matches vs Alerts Can rules that are not matching be turned off? flowbits:noalert can result in match but no alert Reduce checks by improving uniqueness and accuracy of content option used for pattern matching Should have at least one content in rule Longest pattern used Can specify alternate pattern with fastpattern modifier to content

14 Rule Profiling (cont) Average per Check Most often caused by expensive PCRE Reduce complexity of pattern Reduce possibility of recursion Split into multiple rules in cases of many ORs Use config options to restrict impact of PCRE pcre_match_limit pcre_match_limit_recursion 14

15 Tuning Guidelines Documents Posted on Snort.org Rule Writing Specifics VRT White Papers Rule Writing Methodology VRT Performance Rules Creation Series Performance Rules Creation I Performance Rules Creation II 15

16 Coming up in Snort Snort Beta to be released December 2009 Performance improvements in Snort s fast pattern matcher New detection capabilities for Client-side attacks (on Web Browsers/plugins, Mail Clients, etc). Credit Card/SSN and other pattern detection Snort 2.9 & Beyond Improved Inline Support Revision of packet acquisition (pcap, afpacket/pfring, netfilterq, etc.) 16

17 Q & A Session 17