[Snort-devel] Performance comparison between V2 and V3

Russ rucombs at cisco.com
Wed Feb 20 15:25:52 EST 2019


https://github.com/snort3/snort3_demo/tree/master/perf

On 2/19/19 3:16 PM, Russ wrote:
> Hi Jeon,
>
> We will be pushing to github some configs and scripts that will help 
> get a good comparison of Snort 2 and Snort 3.  Have a look at the 
> snort3_demo repo in the next day or so and let us know what you find.
>
> Thanks
> Russ
>
> On 2/19/19 1:24 AM, Min-gyu Jeon via Snort-devel wrote:
>> Hi All,
>>
>> I had some performance tests, and want to discuss it with snort 
>> community.
>>
>> * WARN: This is not a conclusion *
>> On my first trial, it seems that SnortV2 with multi process performs 
>> better than SnortV3 with multithread.
>>
>> Do users experience same results?
>> Or is it my misconfiguration or misunderstanding?
>>
>> Any supplements or similar test results would be very helpful for the 
>> next trials.
>> Here are my settings and results.
>>
>> =========== settings ===========
>> V2 version: v2.9.11.1
>> V3 version: build 250
>>
>> DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
>> Mode: IDS mode
>>
>> V2 Rule: No rules
>> V3 Rule: No rules
>>
>> V3 Config: Converted V2 config by snort2lua
>>
>> CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
>> NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
>> (used only 1 interface)
>>
>> Traffic generation:
>> - tcpreplay-edit => 700K pps (*1 interface*)
>>
>> Traffic info:
>> - real traffic capture (11 sec)
>> - about 340K packets and 13k sessions
>> - HTTP dominant (more than 60%)
>>
>> ============================
>>
>> =========== results ===========
>> (V2: 1 Process) vs (V3: 1 Thread)
>> => V2: 148K pps (CPU usage: 100%)
>> => V3: 26K pps (CPU usage: 80%)
>>
>> (V2: 24 Process) vs (V3: 24 Thread)
>> => V2: 700K pps, full processing (CPU usage: 1500%)
>> => V3: 540K pps (CPU usage: 2359%)
>> ============================
>>
>> Additional notes:
>>
>> With same community rules (V2)
>> According to Snort profiling, the ratio of time spent in modules is
>>
>> V2: Detection : TCPstream  = 1 : 1
>> V3: Detection : TCPstream = 2 : 1
>>
>> With this, possibilities are
>> 1. misconfiguration on detection engine in V3
>> 2. V3 actually process more than V2 when in detection
>>
>> which do Snort users think is more possible?
>>
>> -- 
>> Sincerely,
>> Jeon
>>
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visithttp://blog.snort.org  for the latest news about Snort!
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190220/04ca1d2a/attachment.html>


More information about the Snort-devel mailing list