[Snort-devel] Average delay per packet observation

Steven Sturges ststurge at cisco.com
Fri Jul 7 09:46:57 EDT 2017


The matching algorithms in Snort do not repeat the work when the rule 
options are the same.
And further, as soon as one of the options does not match, evaluation of 
that entire group of
rules is halted.

As I noted, it depends on the makeup of the individual rules 
themselves.  If the rules have
'content' options, as is recommended, and that pattern is not present in 
the traffic being tested,
there is no additional evaluation on the rules at all.  For example, 
even with 10000 rules where
the pattern from the content option is not present in the traffic, you 
would get roughly the same
performance as if you had only 10 of those rules.

On 7/7/17 4:52 AM, Navdeep Uniyal wrote:
>
> Thank you for your reply.
>
> In my case I am using a set of 5 rules repeated over(with different 
> sid). So approximately each set should take the same amount of time 
> relatively.
>
> Example: 80 rules have (16*5) rules
>
>     40 rules have (8*5) rules
>
>     20 rules have (4*5) rules
>
>     10 rules have (2*5) rules
>
> By this way, I assume the delay should get halved in each case from 80 
> to 40. But this is not happening as we can see from the results. Could 
> you please help me in getting the explanation.
>
> Best Regards,
>
> Navdeep
>
> *From:*Steven Sturges [mailto:ststurge at cisco.com]
> *Sent:* Mittwoch, 5. Juli 2017 13:43
> *To:* Navdeep Uniyal; snort-devel at lists.snort.org
> *Subject:* Re: [Snort-devel] Average delay per packet observation
>
> Rules are not processed sequentially.  Your expectations should depend 
> on the nature of the
>
> individual rules themselves.
>
> On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
>
>     Hello everyone,
>
>     I got some interesting results running snort (inline) for
>     experiment with 80, 40, 20, 10 number of rules:
>
>     All rules are matching all the incoming UDP packets. Below are the
>     average delay per packet I found in the 4 experiments:
>
>     80 rules: Average delay:  0.000680666813409 seconds
>
>     40 rules: Average delay:  2.06440535385e-08 seconds
>
>     20 rules: Average delay:  1.6644513569e-08   seconds
>
>     10 rules:              Average delay: 1.43723338507e-08 seconds
>
>     These results are quite confusing as I expect, on decreasing from
>     80 to 40 rules the average delay should be approximately halved.
>     But I can’t see such behavior here.
>
>     What could be the possible reason, if someone could explain.
>
>     Best Regards,
>
>     *Navdeep*
>
>
>
>
>     _______________________________________________
>
>     Snort-devel mailing list
>
>     Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>
>     https://lists.snort.org/mailman/listinfo/snort-devel
>
>     Please visithttp://blog.snort.org  for the latest news about Snort!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170707/73dbfdb5/attachment.html>


More information about the Snort-devel mailing list