[Snort-devel] Huge performance drop for Snort-2.9.4

abed mohammad kamaluddin abedamu at ...2499...
Fri Feb 8 04:25:29 EST 2013


I have not used any special option for compiling the sources. Simply
provided path to my libraries - Both sources are compiled using same
options and libraries:
./configure
   --with-libpcap-includes=DIR --with-libpcap-libraries=DIR
  --with-libpcre-includes=DIR  --with-libpcre-libraries=DIR
  --with-dnet-includes=DIR   --with-dnet-libraries=DIR
  --with-daq-includes=DIR  --with-daq-libraries=DIR
make; make install

Running using:
schedtool -a 0x2 -e ./bin/snort -H  --daq pcap -r pcapfile -c
snortRuleDir/snort.conf -N -l log

Thanks,
Abed M K



On Fri, Feb 8, 2013 at 1:38 AM, Bhagya Bantwal <bbantwal at ...402...> wrote:
> Hello,
>
> Can you please send us the configure options you used with both releases?
>
> ipv6 was enabled by default in 2.9.1 and hardened in the release 2.9.4.
>
> Thanks
> -Bhagya
>
> On Thu, Feb 7, 2013 at 7:04 AM, abed mohammad kamaluddin <abedamu at ...2499...>
> wrote:
>>
>> Hi,
>>
>> While upgrading from 2.9.0.4 to 2.9.4, there is huge performance drop.
>> I have compiled both sources using the same libraries, same compiler
>> options (default) and am running in the same environment using exactly
>> the same configuration and rule files. There is anything between 15 -
>> 40 % decrease in performance depending upon the traffic.
>>
>> I used Intel(R) Xeon(R) CPU X5650  @2.67GHz and daq pcap for the
>> tests. However live traffic also gives than 20% drop in performance.
>> Similar behavior is also seen on MIPs cpu. Here are the observations:
>>
>> Pcap with no alerts, uniform large-sized half-million UDP pkts
>> snort-2.9.0.4  -  1692 Mbps
>> snort-2.9.4    -   1364 Mbps  (~20% drop)
>>
>> Pcap with one alert - non-uniform small-sized TCP pkts
>> snort-2.9.0.4  254 Mbps
>> snort-2.9.4     163 Mbps  (~35 % drop)
>>
>> This is easily reproducible using all types of traffic. Just to make
>> sure, I also tried 2.9.3.1 and it gave me good performance equivalent
>> to 2.9.0.4. So the reduction has crept up in 2.9.4 itself. I haven't
>> explored it, but maybe consolidation of IPv6 is the cause?
>>
>> My earlier mail regarding optimization
>> (http://seclists.org/snort/2013/q1/195) has the same proportionate
>> performance enhancement on both 2.9.4 and 2.9.0.4.
>>
>> Thanks,
>> Abed M K
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
>




More information about the Snort-devel mailing list