[Snort-devel] Some real results: CheckDstIP and function check order.
mark at ...1121...
Thu Mar 21 10:01:06 EST 2002
Having tried the suggested order change from Christian
Mock here are some definative results and how snort
performance varies with the number of IP's specified in
$HOME_NET. This is for 50000 packets, 751 rules on a PIII 1G
using snort -c snort.conf -oz est -k noip -r tcmpdump.file.
Snort 1.9dev build 103
Order 9 home nets 2 home nets 0 home nets (any)
Port, IP 0m8.660 0m4.170s 0m3.230s
IP, Port 0m22.930 0m5.760s 0m3.290s
As you can see although with the ports / IP checks swapped round,
snort still takes 2.7 times as long to process the data with our
full complement of home_nets. I'm not even going to talk about
the IP, port order .... ;-)
Mark Vevers. mark at ...1121... / mvevers at ...1186...
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc
Tel: +44 1235 823380, Fax: +44 1235 823424
More information about the Snort-devel