[Snort-devel] Some real results: CheckDstIP and function check order.
cmg at ...402...
Thu Mar 21 10:40:02 EST 2002
Mark Vevers <mark at ...1121...> writes:
> Having tried the suggested order change from Christian
> Mock here are some definative results and how snort
> performance varies with the number of IP's specified in
> $HOME_NET. This is for 50000 packets, 751 rules on a PIII 1G
> using snort -c snort.conf -oz est -k noip -r tcmpdump.file.
> Snort 1.9dev build 103
> Order 9 home nets 2 home nets 0 home nets (any)
> Port, IP 0m8.660 0m4.170s 0m3.230s
> IP, Port 0m22.930 0m5.760s 0m3.290s
> As you can see although with the ports / IP checks swapped round,
> snort still takes 2.7 times as long to process the data with our
> full complement of home_nets. I'm not even going to talk about
> the IP, port order .... ;-)
This has been changed :-) It will be changed further in the future
but it's too easy a change and too big a difference for the multiple
CIDR Folks to not do.
Chris Green <cmg at ...402...>
A watched process never cores.
More information about the Snort-devel