[Snort-openappid] What is "detect", " rule eval" stand for in the profiling result of Snort preprocessor?

Ricky Li ricky.li.net at ...8...
Tue Jun 9 11:46:44 EDT 2015


I try to test the performance of Snort with different rule set. So I picked
two rule sets:

1) Snort VRT set (https://www.snort.org/downloads/#rule-downloads)
2) ET (Emerging Threat) Open rule set (

I use the same input traffic and same configuration for the two cases, only
difference is the "# site specific rules" section (rule files contained in
the "rules" folder).

For case 1) I used Snort VRT rules and for case 2) I used the ET Open
rules. But the test result are quite different, the packets processed per
second (PPS) of ET rule set is only 10% of Snort VRT rule set.

The preprocessor profiling results for case 2), the ET Open rule set is

Preprocessor Profile Statistics (worst 20)
 Num            Preprocessor Layer     Checks      Exits
Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====
=========  ========= ============= ============
  1                   detect     0     504840     504840
64274120     127.32         94.48        94.48
   1               rule eval     1    2737825    2737825
59599382      21.77         92.73        87.61
    1         rule tree eval     2    3252182    3252182
59297083      18.23         99.49        87.16
     1               session     3     504810     504810
432874       0.86          0.73         0.64
     2               content     3     439184     439184
175567       0.40          0.30         0.26

The top 3: detect, rule eval, and rule tree eval are very slow, and their
percentage of total are all close to 100%!
So I have some questions:

1) What are the item "detect", "rule eval", "rule tree eval" exactly stand
for? Is there any document introducing them?
2) Base on the profiling result above, why those three items take some much
resource? How to tune/optimize it?
3) For the performance gap between Snort VRT rule set and the third-party
ET Open rule set, is it because Snort has some internal optimization for
Snort VRT rule set (like some rule parsing engines) inside Snort program?
So it has better performance for Snort VRT rule set, compared with other
third-party rules.

Thank you very much for your kindly help and answers!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150609/ffb7e2ff/attachment.html>

More information about the Snort-openappid mailing list