[Snort-devel] Thoughts on threads

Nash nash at ...357...
Fri Apr 6 15:52:13 EDT 2001

On Sat, Apr 07, 2001 at 02:21:04AM +0700, Fyodor wrote:
> I see. IMHO the data which we expect to be used to generated would be the same
> as the 'real-world' data since we will probably be running compiled for
> profiling snort binary on the real network. (althrough during last my testings
> it slowed down the process alot, so I donno if profiled snort could really keep
> up on a busy segment).

That's basically the problem. You might consider running snort on the network in
unprofiled mode for awhile and just having it log all the packets. When it fills
up a few dozen gig you can then write a perl script to replay the packets to a
profiling perl. Mmm ...  test harnesses. Much fun in the sun. ;-)

But, you still face the possibility that the XX gigs of data you have stored on
disk will be different enough that performance will be lost b/c of it being a
special case.

> By the way you have any suggestions for more complex math except for manual
> code analysis? :) Looks like you have got quite some experience with this :)

Not enough experience. My only suggestion would be to always keep in mind the
worst case performance for the algorithms involved. Known the value of the O(f(n))
performance for your algorithm (f(n)) is really important. Manual code analysis
meaning line by line? Yeah, that's icky stuff. 

E.g., your idea about building the rules into trees is a really good one. It
can be shown that in the right kind of tree your performance will never be worse
than O(n * log(2, n)). This is quite good for a match. Its far better to optimize
this way first and then optimize for fewer instructions. Your biggest benefits are
usually from using better algorithms. That being said, Marty has incredible instincts
for what makes fast algorithms. Its tough to argue against the current decoder scheme
since its essentially instantaneous. =)




   "Babbage himself acknowledged Jacquard's precedence: when
   he presented the concept for his Analytical Engine at the
   Turin conference, he brought  with him a silk portrait of
   Jacquard  that  had been  produced  by an  automatic loom
   programmed  by no fewer than twenty-four thousand  cards. 
   Even by today's standards, that's a lot of code."
                                - Jim Holt,
                                  The New Yorker 2001/3/5

More information about the Snort-devel mailing list