[Snort-devel] Performance comparison between V2 and V3

Min-gyu Jeon jammingyu9 at gmail.com
Tue Feb 19 01:24:12 EST 2019


Hi All,

I had some performance tests, and want to discuss it with snort community.

* WARN: This is not a conclusion *
On my first trial, it seems that SnortV2 with multi process performs better
than SnortV3 with multithread.

Do users experience same results?
Or is it my misconfiguration or misunderstanding?

Any supplements or similar test results would be very helpful for the next
trials.
Here are my settings and results.

=========== settings ===========
V2 version: v2.9.11.1
V3 version: build 250

DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
Mode: IDS mode

V2 Rule: No rules
V3 Rule: No rules

V3 Config: Converted V2 config by snort2lua

CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
(used only 1 interface)

Traffic generation:
- tcpreplay-edit => 700K pps (*1 interface*)

Traffic info:
- real traffic capture (11 sec)
- about 340K packets and 13k sessions
- HTTP dominant (more than 60%)

============================

=========== results ===========
(V2: 1 Process) vs (V3: 1 Thread)
=> V2: 148K pps (CPU usage: 100%)
=> V3: 26K pps (CPU usage: 80%)

(V2: 24 Process) vs (V3: 24 Thread)
=> V2: 700K pps, full processing (CPU usage: 1500%)
=> V3: 540K pps (CPU usage: 2359%)
============================

Additional notes:

With same community rules (V2)
According to Snort profiling, the ratio of time spent in modules is

V2: Detection : TCPstream  = 1 : 1
V3: Detection : TCPstream = 2 : 1

With this, possibilities are
1. misconfiguration on detection engine in V3
2. V3 actually process more than V2 when in detection

which do Snort users think is more possible?

-- 
Sincerely,
Jeon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190219/b2b51955/attachment.html>


More information about the Snort-devel mailing list