[Snort-devel] Some real results: CheckDstIP and function check order.

Chris Green cmg at ...402...
Thu Mar 21 10:40:02 EST 2002


Mark Vevers <mark at ...1121...> writes:

> Having tried the suggested order change from Christian
> Mock here are some definative results and how snort
> performance varies with the number of IP's specified in
> $HOME_NET. This is for 50000 packets, 751 rules on a PIII 1G
> using snort -c snort.conf -oz est -k noip -r tcmpdump.file.
> Snort 1.9dev build 103
>
> Order            9 home nets     2 home nets      0 home nets (any)
> Port, IP         0m8.660         0m4.170s         0m3.230s
> IP, Port         0m22.930        0m5.760s         0m3.290s
>
> As you can see although with the ports / IP checks swapped round,
> snort still takes 2.7 times as long to process the data with our
> full complement of home_nets.  I'm not even going to talk about
> the IP, port order .... ;-)

This has been changed :-)  It will be changed further in the future
but it's too easy a change and too big a difference for the multiple
CIDR Folks to not do.

-- 
Chris Green <cmg at ...402...>
A watched process never cores.





More information about the Snort-devel mailing list