[Snort-devel] Performance comparison between V2 and V3

Russ rucombs at cisco.com
Tue Feb 19 15:16:26 EST 2019


Hi Jeon,

We will be pushing to github some configs and scripts that will help get 
a good comparison of Snort 2 and Snort 3.  Have a look at the 
snort3_demo repo in the next day or so and let us know what you find.

Thanks
Russ

On 2/19/19 1:24 AM, Min-gyu Jeon via Snort-devel wrote:
> Hi All,
>
> I had some performance tests, and want to discuss it with snort community.
>
> * WARN: This is not a conclusion *
> On my first trial, it seems that SnortV2 with multi process performs 
> better than SnortV3 with multithread.
>
> Do users experience same results?
> Or is it my misconfiguration or misunderstanding?
>
> Any supplements or similar test results would be very helpful for the 
> next trials.
> Here are my settings and results.
>
> =========== settings ===========
> V2 version: v2.9.11.1
> V3 version: build 250
>
> DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
> Mode: IDS mode
>
> V2 Rule: No rules
> V3 Rule: No rules
>
> V3 Config: Converted V2 config by snort2lua
>
> CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
> NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
> (used only 1 interface)
>
> Traffic generation:
> - tcpreplay-edit => 700K pps (*1 interface*)
>
> Traffic info:
> - real traffic capture (11 sec)
> - about 340K packets and 13k sessions
> - HTTP dominant (more than 60%)
>
> ============================
>
> =========== results ===========
> (V2: 1 Process) vs (V3: 1 Thread)
> => V2: 148K pps (CPU usage: 100%)
> => V3: 26K pps (CPU usage: 80%)
>
> (V2: 24 Process) vs (V3: 24 Thread)
> => V2: 700K pps, full processing (CPU usage: 1500%)
> => V3: 540K pps (CPU usage: 2359%)
> ============================
>
> Additional notes:
>
> With same community rules (V2)
> According to Snort profiling, the ratio of time spent in modules is
>
> V2: Detection : TCPstream  = 1 : 1
> V3: Detection : TCPstream = 2 : 1
>
> With this, possibilities are
> 1. misconfiguration on detection engine in V3
> 2. V3 actually process more than V2 when in detection
>
> which do Snort users think is more possible?
>
> -- 
> Sincerely,
> Jeon
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190219/21836e55/attachment.html>


More information about the Snort-devel mailing list