[Snort-devel] [Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

rmkml rmkml at ...879...
Sun Jul 22 18:22:54 EDT 2007


Hi Justin and Colin,
Event missed by 270 are :
      97 (spp_stream4) possible EVASIVE FIN
       2 (spp_stream4) possible EVASIVE RST
but v270 are 50% faster than 2615 !
Rmkml


On Mon, 23 Jul 2007, Justin Heath wrote:

> Date: Mon, 23 Jul 2007 11:19:05 -0400
> From: Justin Heath <justin.heath at ...2499...>
> To: Colin Grady <colin.grady at ...2499...>
> Cc: rmkml <rmkml at ...879...>, Snort-users at lists.sourceforge.net,
>     Snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search
>      method on pcap file!
> 
> Are you referring to rule or preprocessor/decoder alerts? How many
> individual alerts are present in 2.6.1.5 which are not present 2.7.0?
> Do you have pcaps associated with the individual alerts? If so, can
> you send them in to bugs at ...835... along with the 2.6.1.5 and 2.7.0
> conf file you are using along with any configure/make args you are
> using?
>
>
> Cheers,
> Justin Heath
>
> On 7/23/07, Colin Grady <colin.grady at ...2499...> wrote:
>> Rmkml,
>> 
>> There are a different number of alerts being generated for 2.6.1.5 and
>> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
>> false-positives or misses? Have you looked at the alerts thats were
>> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
>> difference?
>> 
>> Thanks,
>> 
>> Colin Grady
>> 
>> 
>> On 7/22/07, rmkml <rmkml at ...879...> wrote:
>> > Hi,
>> > Snort v2.7.0 improve performance, on same pcap file:
>> >   snort 2615 : 60s
>> >   snort 270  : 30s
>> > search method used is lowmem and snort conf is similar (as possible),
>> >
>> > if I change to ac-bnfa, on same pcap file :
>> >   snort 2615 : 62s
>> >   snort 270  : 36s
>> >
>> > lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
>> > alert number: 270=25486,2615=25585 , test repeated 10x.
>> > tested on linux fedora core 7 x86 laptop plateform
>> > Best Regards
>> > Rmkml
>> > Crusoe Researches
>> >
>> > -------------------------------------------------------------------------
>> > This SF.net email is sponsored by: Splunk Inc.
>> > Still grepping through log files to find problems?  Stop.
>> > Now Search log events and configuration files using AJAX and a browser.
>> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> 
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>




More information about the Snort-devel mailing list