[Snort-devel] benchmarking snort

Eric Lauzon eric.lauzon at ...1967...
Sun May 11 15:28:02 EDT 2003

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Nathan Tuck
> Sent: Sunday, May 11, 2003 6:12 PM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] benchmarking snort
> Hi.  I'm a new member to the list, but have been hacking on snort for
> a little while.
> My question is this.  If I make changes to the pattern matching engine
> and am interested in determining whether I have increased or decreased
> performance, what is the recommended way of going about measuring
> that?
> I've tried dumping sneeze output to a file and also using defcon
> traces.  However, it appears to me that snort performance in these two
> cases is really bottlenecked by my disk bandwidth, and logging output.
> Thus far I have been benching snort with -b -A fast, but as I
> mentioned, it still seems like most of the time spent is non
> pattern-matching overhead.  Any other flags I should turn on?
> What do other list members use for benchmarking pattern matching in
> snort?  Any advice accepted.
> Thanks,
> nate
> PS - Does anyone know why sneeze gets caught in an infinite loop on
> quite a number of the rules files?

I dont know about sneeze but i was getting core dump on a few rules mainly
at high bandwidth
i wonder if it was noticed arround the comunity.

But honestly about the mods you are doing to snort dont forget that big
ruleset,the number of pluggin,
the range of hosts you monitor,the type of network,type of storage will all
influence the way snort will react. U might also consider that complex
attacks versus a large ruleset,multiple preprocessor,loose matching and high
traffc can blind snort.

Eric Lauzon
Analyste en securite informatique
eric.lauzon at ...1967...
1919,boul Lionel-Bertrand
Bureau 203
J7H 1N8

More information about the Snort-devel mailing list