[Snort-devel] [Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

Justin Heath justin.heath at ...2499...
Mon Jul 23 11:19:05 EDT 2007


Are you referring to rule or preprocessor/decoder alerts? How many
individual alerts are present in 2.6.1.5 which are not present 2.7.0?
Do you have pcaps associated with the individual alerts? If so, can
you send them in to bugs at ...835... along with the 2.6.1.5 and 2.7.0
conf file you are using along with any configure/make args you are
using?


Cheers,
Justin Heath

On 7/23/07, Colin Grady <colin.grady at ...2499...> wrote:
> Rmkml,
>
> There are a different number of alerts being generated for 2.6.1.5 and
> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
> false-positives or misses? Have you looked at the alerts thats were
> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
> difference?
>
> Thanks,
>
> Colin Grady
>
>
> On 7/22/07, rmkml <rmkml at ...879...> wrote:
> > Hi,
> > Snort v2.7.0 improve performance, on same pcap file:
> >   snort 2615 : 60s
> >   snort 270  : 30s
> > search method used is lowmem and snort conf is similar (as possible),
> >
> > if I change to ac-bnfa, on same pcap file :
> >   snort 2615 : 62s
> >   snort 270  : 36s
> >
> > lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
> > alert number: 270=25486,2615=25585 , test repeated 10x.
> > tested on linux fedora core 7 x86 laptop plateform
> > Best Regards
> > Rmkml
> > Crusoe Researches
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-devel mailing list