[Snort-devel] Some real results: CheckDstIP and function check order.

Mark Vevers mark at ...1121...
Thu Mar 21 10:01:06 EST 2002


Having tried the suggested order change from Christian
Mock here are some definative results and how snort
performance varies with the number of IP's specified in
$HOME_NET. This is for 50000 packets, 751 rules on a PIII 1G
using snort -c snort.conf -oz est -k noip -r tcmpdump.file.
Snort 1.9dev build 103

Order            9 home nets     2 home nets      0 home nets (any)
Port, IP         0m8.660         0m4.170s         0m3.230s
IP, Port         0m22.930        0m5.760s         0m3.290s

As you can see although with the ports / IP checks swapped round,
snort still takes 2.7 times as long to process the data with our
full complement of home_nets.  I'm not even going to talk about
the IP, port order .... ;-)

Cheers
Mark

-- 
Mark Vevers.    mark at ...1121... / mvevers at ...1186...
Internet Backbone Engineering Team
Internet for Learning, Research Machines Plc
Tel: +44 1235 823380,   Fax: +44 1235 823424






More information about the Snort-devel mailing list