[Snort-devel] Average delay per packet observation

Steven Sturges ststurge at cisco.com
Wed Jul 5 07:43:20 EDT 2017


Rules are not processed sequentially.  Your expectations should depend 
on the nature of the

individual rules themselves.

On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
>
> Hello everyone,
>
> I got some interesting results running snort (inline) for experiment 
> with 80, 40, 20, 10 number of rules:
>
> All rules are matching all the incoming UDP packets. Below are the 
> average delay per packet I found in the 4 experiments:
>
> 80 rules: Average delay:  0.000680666813409 seconds
>
> 40 rules: Average delay:  2.06440535385e-08 seconds
>
> 20 rules: Average delay:  1.6644513569e-08   seconds
>
> 10 rules:              Average delay: 1.43723338507e-08 seconds
>
> These results are quite confusing as I expect, on decreasing from 80 
> to 40 rules the average delay should be approximately halved. But I 
> can’t see such behavior here.
>
> What could be the possible reason, if someone could explain.
>
> Best Regards,
>
> *Navdeep*
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170705/6e5940cd/attachment.html>


More information about the Snort-devel mailing list