[Snort-devel] [Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

Marc Norton mnorton at ...402...
Mon Jul 23 13:40:16 EDT 2007


Wow, 50% faster...?

FYI: ac-bnfa can be slower at startup, but as far as we know, is always faster
than lowmem at run-time.

rmkml wrote:
> Hi Justin and Colin,
> Event missed by 270 are :
>       97 (spp_stream4) possible EVASIVE FIN
>        2 (spp_stream4) possible EVASIVE RST
> but v270 are 50% faster than 2615 !
> Rmkml
> 
> 
> On Mon, 23 Jul 2007, Justin Heath wrote:
> 
>> Date: Mon, 23 Jul 2007 11:19:05 -0400
>> From: Justin Heath <justin.heath at ...2499...>
>> To: Colin Grady <colin.grady at ...2499...>
>> Cc: rmkml <rmkml at ...879...>, Snort-users at lists.sourceforge.net,
>>     Snort-devel at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search
>>      method on pcap file!
>>
>> Are you referring to rule or preprocessor/decoder alerts? How many
>> individual alerts are present in 2.6.1.5 which are not present 2.7.0?
>> Do you have pcaps associated with the individual alerts? If so, can
>> you send them in to bugs at ...835... along with the 2.6.1.5 and 2.7.0
>> conf file you are using along with any configure/make args you are
>> using?
>>
>>
>> Cheers,
>> Justin Heath
>>
>> On 7/23/07, Colin Grady <colin.grady at ...2499...> wrote:
>>> Rmkml,
>>>
>>> There are a different number of alerts being generated for 2.6.1.5 and
>>> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
>>> false-positives or misses? Have you looked at the alerts thats were
>>> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
>>> difference?
>>>
>>> Thanks,
>>>
>>> Colin Grady
>>>
>>>
>>> On 7/22/07, rmkml <rmkml at ...879...> wrote:
>>>> Hi,
>>>> Snort v2.7.0 improve performance, on same pcap file:
>>>>   snort 2615 : 60s
>>>>   snort 270  : 30s
>>>> search method used is lowmem and snort conf is similar (as possible),
>>>>
>>>> if I change to ac-bnfa, on same pcap file :
>>>>   snort 2615 : 62s
>>>>   snort 270  : 36s
>>>>
>>>> lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
>>>> alert number: 270=25486,2615=25585 , test repeated 10x.
>>>> tested on linux fedora core 7 x86 laptop plateform
>>>> Best Regards
>>>> Rmkml
>>>> Crusoe Researches
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc.
>>>> Still grepping through log files to find problems?  Stop.
>>>> Now Search log events and configuration files using AJAX and a browser.
>>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


-- 
Marc Norton
Sourcefire,Inc   410-423-1924
www.snort.org    www.sourcefire.com




More information about the Snort-devel mailing list