[Snort-devel] Average delay per packet observation
Navdeep.Uniyal at neclab.eu
Fri Jul 7 04:52:16 EDT 2017
Thank you for your reply.
In my case I am using a set of 5 rules repeated over(with different sid). So approximately each set should take the same amount of time relatively.
Example: 80 rules have (16*5) rules
40 rules have (8*5) rules
20 rules have (4*5) rules
10 rules have (2*5) rules
By this way, I assume the delay should get halved in each case from 80 to 40. But this is not happening as we can see from the results. Could you please help me in getting the explanation.
From: Steven Sturges [mailto:ststurge at cisco.com]
Sent: Mittwoch, 5. Juli 2017 13:43
To: Navdeep Uniyal; snort-devel at lists.snort.org
Subject: Re: [Snort-devel] Average delay per packet observation
Rules are not processed sequentially. Your expectations should depend on the nature of the
individual rules themselves.
On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
I got some interesting results running snort (inline) for experiment with 80, 40, 20, 10 number of rules:
All rules are matching all the incoming UDP packets. Below are the average delay per packet I found in the 4 experiments:
80 rules: Average delay: 0.000680666813409 seconds
40 rules: Average delay: 2.06440535385e-08 seconds
20 rules: Average delay: 1.6644513569e-08 seconds
10 rules: Average delay: 1.43723338507e-08 seconds
These results are quite confusing as I expect, on decreasing from 80 to 40 rules the average delay should be approximately halved. But I can't see such behavior here.
What could be the possible reason, if someone could explain.
Snort-devel mailing list
Snort-devel at lists.snort.org<mailto:Snort-devel at lists.snort.org>
Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel