[Snort-devel] [Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

rmkml rmkml at ...879...
Sun Jul 22 18:33:50 EDT 2007


yes


On Mon, 23 Jul 2007, Colin Grady wrote:

> Date: Mon, 23 Jul 2007 11:02:34 -0500
> From: Colin Grady <colin.grady at ...2499...>
> To: rmkml <rmkml at ...879...>
> Cc: Justin Heath <justin.heath at ...2499...>, Snort-users at lists.sourceforge.net,
>     Snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search
>      method on pcap file!
> 
> To confirm, you're using stream4 with 2.6.1.5 and stream5 with 2.7.0?
>
> Thanks,
> Colin Grady
>
>
> On 7/22/07, rmkml <rmkml at ...879...> wrote:
>> Hi Justin and Colin,
>> Event missed by 270 are :
>>       97 (spp_stream4) possible EVASIVE FIN
>>        2 (spp_stream4) possible EVASIVE RST
>> but v270 are 50% faster than 2615 !
>> Rmkml
>> 
>> 
>> On Mon, 23 Jul 2007, Justin Heath wrote:
>> 
>> > Date: Mon, 23 Jul 2007 11:19:05 -0400
>> > From: Justin Heath <justin.heath at ...2499...>
>> > To: Colin Grady <colin.grady at ...2499...>
>> > Cc: rmkml <rmkml at ...879...>, Snort-users at lists.sourceforge.net,
>> >     Snort-devel at lists.sourceforge.net
>> > Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem 
>> search
>> >      method on pcap file!
>> >
>> > Are you referring to rule or preprocessor/decoder alerts? How many
>> > individual alerts are present in 2.6.1.5 which are not present 2.7.0?
>> > Do you have pcaps associated with the individual alerts? If so, can
>> > you send them in to bugs at ...835... along with the 2.6.1.5 and 2.7.0
>> > conf file you are using along with any configure/make args you are
>> > using?
>> >
>> >
>> > Cheers,
>> > Justin Heath
>> >
>> > On 7/23/07, Colin Grady <colin.grady at ...2499...> wrote:
>> >> Rmkml,
>> >>
>> >> There are a different number of alerts being generated for 2.6.1.5 and
>> >> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
>> >> false-positives or misses? Have you looked at the alerts thats were
>> >> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
>> >> difference?
>> >>
>> >> Thanks,
>> >>
>> >> Colin Grady
>> >>
>> >>
>> >> On 7/22/07, rmkml <rmkml at ...879...> wrote:
>> >> > Hi,
>> >> > Snort v2.7.0 improve performance, on same pcap file:
>> >> >   snort 2615 : 60s
>> >> >   snort 270  : 30s
>> >> > search method used is lowmem and snort conf is similar (as possible),
>> >> >
>> >> > if I change to ac-bnfa, on same pcap file :
>> >> >   snort 2615 : 62s
>> >> >   snort 270  : 36s
>> >> >
>> >> > lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
>> >> > alert number: 270=25486,2615=25585 , test repeated 10x.
>> >> > tested on linux fedora core 7 x86 laptop plateform
>> >> > Best Regards
>> >> > Rmkml
>> >> > Crusoe Researches
>> >> >
>> >> > 
>> -------------------------------------------------------------------------
>> >> > This SF.net email is sponsored by: Splunk Inc.
>> >> > Still grepping through log files to find problems?  Stop.
>> >> > Now Search log events and configuration files using AJAX and a 
>> browser.
>> >> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> >> > _______________________________________________
>> >> > Snort-users mailing list
>> >> > Snort-users at lists.sourceforge.net
>> >> > Go to this URL to change user options or unsubscribe:
>> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> > Snort-users list archive:
>> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >
>> >>
>> >> 
>> -------------------------------------------------------------------------
>> >> This SF.net email is sponsored by: Splunk Inc.
>> >> Still grepping through log files to find problems?  Stop.
>> >> Now Search log events and configuration files using AJAX and a browser.
>> >> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >
>> 
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-devel mailing list