[Snort-devel] Performance comparison between V2 and V3
rucombs at cisco.com
Tue Feb 19 15:16:26 EST 2019
We will be pushing to github some configs and scripts that will help get
a good comparison of Snort 2 and Snort 3. Have a look at the
snort3_demo repo in the next day or so and let us know what you find.
On 2/19/19 1:24 AM, Min-gyu Jeon via Snort-devel wrote:
> Hi All,
> I had some performance tests, and want to discuss it with snort community.
> * WARN: This is not a conclusion *
> On my first trial, it seems that SnortV2 with multi process performs
> better than SnortV3 with multithread.
> Do users experience same results?
> Or is it my misconfiguration or misunderstanding?
> Any supplements or similar test results would be very helpful for the
> next trials.
> Here are my settings and results.
> =========== settings ===========
> V2 version: v220.127.116.11
> V3 version: build 250
> DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
> Mode: IDS mode
> V2 Rule: No rules
> V3 Rule: No rules
> V3 Config: Converted V2 config by snort2lua
> CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
> NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
> (used only 1 interface)
> Traffic generation:
> - tcpreplay-edit => 700K pps (*1 interface*)
> Traffic info:
> - real traffic capture (11 sec)
> - about 340K packets and 13k sessions
> - HTTP dominant (more than 60%)
> =========== results ===========
> (V2: 1 Process) vs (V3: 1 Thread)
> => V2: 148K pps (CPU usage: 100%)
> => V3: 26K pps (CPU usage: 80%)
> (V2: 24 Process) vs (V3: 24 Thread)
> => V2: 700K pps, full processing (CPU usage: 1500%)
> => V3: 540K pps (CPU usage: 2359%)
> Additional notes:
> With same community rules (V2)
> According to Snort profiling, the ratio of time spent in modules is
> V2: Detection : TCPstream = 1 : 1
> V3: Detection : TCPstream = 2 : 1
> With this, possibilities are
> 1. misconfiguration on detection engine in V3
> 2. V3 actually process more than V2 when in detection
> which do Snort users think is more possible?
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel