[Snort-openappid] Some initial Queries on openappid

Mike Stepanek (mstepane) mstepane at ...5...
Tue May 26 09:56:44 EDT 2015


In that case, yes, in that context, "ac" would refer to Aho-Corasick.

With regards to performance, we don't really have any benchmarking results to share with regards to the open-source product.  As is always the case, performance is always a loaded question.  It obviously depends heavily on the platform that you're running on.

- Mike Stepanek
   mstepane at ...5...

From: sripaduka R [mailto:padukaietf at ...8...]
Sent: Tuesday, May 26, 2015 8:49 AM
To: Mike Stepanek (mstepane)
Subject: Re: [Snort-openappid] Some initial Queries on openappid

Hi  Mike
Thanks for acknowledging the mail.

 Few queries -  how does the performance of openappid for DPI parsing fare with line rates of 1G+ such as 1G,10G traffic ?  and how does it vary with the number of rules /apps . Can I find some benchmarking results/data somewhere ?

The ac-split I was referring to was from fpSetDetectSearchMethod in Fpcreate.c

regards
S


On Tue, May 26, 2015 at 6:04 PM, Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>> wrote:
1) If you add an app ID, there's no need to recompile, but you do need to restart Snort.

2) Yes, OpenAppID makes use of a lot of the same pattern matching engines that were already in Snort.

3) Which reference to "ac split" are you referring to?  It's most likely completely unrelated.  Most likely, it's referring to a feature that we'd worked on here related to some basic refactoring of preprocessor configurations.

- Mike Stepanek
   mstepane at ...5...<mailto:mstepane at ...5...>

From: sripaduka R [mailto:padukaietf at ...8...<mailto:padukaietf at ...8...>]
Sent: Tuesday, May 26, 2015 8:16 AM
To: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at lists.sourceforge.net>
Subject: [Snort-openappid] Some initial Queries on openappid

Hi
 Am new to snort and openappid - going through the Lua APIs.

  Some initial queries :

 -- does adding an appid warrant a recompilation  and/or restart of the snort exe or is the database constructed on the fly ?

 -- does openappid internally use the same search engine as basic snort  -- saw a reference to AC split etc.  ?

- ac split .... : this is ..aho corasic.. ?

thanks
-- SAT

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150526/aff07b77/attachment.html>


More information about the Snort-openappid mailing list