[Snort-devel] Performance comparison between V2 and V3
rucombs at cisco.com
Wed Feb 20 15:25:52 EST 2019
On 2/19/19 3:16 PM, Russ wrote:
> Hi Jeon,
> We will be pushing to github some configs and scripts that will help
> get a good comparison of Snort 2 and Snort 3. Have a look at the
> snort3_demo repo in the next day or so and let us know what you find.
> On 2/19/19 1:24 AM, Min-gyu Jeon via Snort-devel wrote:
>> Hi All,
>> I had some performance tests, and want to discuss it with snort
>> * WARN: This is not a conclusion *
>> On my first trial, it seems that SnortV2 with multi process performs
>> better than SnortV3 with multithread.
>> Do users experience same results?
>> Or is it my misconfiguration or misunderstanding?
>> Any supplements or similar test results would be very helpful for the
>> next trials.
>> Here are my settings and results.
>> =========== settings ===========
>> V2 version: v126.96.36.199
>> V3 version: build 250
>> DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
>> Mode: IDS mode
>> V2 Rule: No rules
>> V3 Rule: No rules
>> V3 Config: Converted V2 config by snort2lua
>> CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
>> NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
>> (used only 1 interface)
>> Traffic generation:
>> - tcpreplay-edit => 700K pps (*1 interface*)
>> Traffic info:
>> - real traffic capture (11 sec)
>> - about 340K packets and 13k sessions
>> - HTTP dominant (more than 60%)
>> =========== results ===========
>> (V2: 1 Process) vs (V3: 1 Thread)
>> => V2: 148K pps (CPU usage: 100%)
>> => V3: 26K pps (CPU usage: 80%)
>> (V2: 24 Process) vs (V3: 24 Thread)
>> => V2: 700K pps, full processing (CPU usage: 1500%)
>> => V3: 540K pps (CPU usage: 2359%)
>> Additional notes:
>> With same community rules (V2)
>> According to Snort profiling, the ratio of time spent in modules is
>> V2: Detection : TCPstream = 1 : 1
>> V3: Detection : TCPstream = 2 : 1
>> With this, possibilities are
>> 1. misconfiguration on detection engine in V3
>> 2. V3 actually process more than V2 when in detection
>> which do Snort users think is more possible?
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> Please visithttp://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel