[Snort-devel] benchmarking snort

Nathan Tuck ntuck1 at ...1977...
Sun May 11 14:56:06 EDT 2003


Hi.  I'm a new member to the list, but have been hacking on snort for
a little while.

My question is this.  If I make changes to the pattern matching engine
and am interested in determining whether I have increased or decreased
performance, what is the recommended way of going about measuring
that?

I've tried dumping sneeze output to a file and also using defcon
traces.  However, it appears to me that snort performance in these two
cases is really bottlenecked by my disk bandwidth, and logging output.
Thus far I have been benching snort with -b -A fast, but as I
mentioned, it still seems like most of the time spent is non
pattern-matching overhead.  Any other flags I should turn on?

What do other list members use for benchmarking pattern matching in
snort?  Any advice accepted.

Thanks,

nate

PS - Does anyone know why sneeze gets caught in an infinite loop on
quite a number of the rules files?






More information about the Snort-devel mailing list