[Snort-users] snort 2.0 performance evaluation
jeff at ...950...
Tue Jun 3 13:28:06 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
- --On Wednesday, June 4, 2003 0:22 +0800 "Terence R.T. Liu"
<tie19858 at ...9364...> wrote:
> We downloaded the latest snort 2.0 and put it into a P4 IPC w/ PCI-X bus
> and 2 broadcom gigabit NICs. Then we tested it w/ IXIA http generator to
> evaluate the performance and throughput. However, the average throughput
> is pretty lower from 18Mbps (packet size is 128 bytes) to 80 Mbps (packet
> size is 1460 bytes). The number of enabled rule is about 1,300.
> Since the current version has employ the Wu's algorithm to handle the
> multiple-pattern matching, we assumed the performance should be boosted.
> Does anyone figure this out? Does the testing result sound reasonable?
Can you provide detailed data from your testing? It is difficult to
provide an answer without a complete set of data. Snort has many
components, several of which must be examined in order to determine which
of them (if any) is degrading performance.
As I understand it, you have observed detection rates of 18Mb/sec with an
Ethernet frame size of 128 bytes and 80Mb/sec with an Ethernet frame size
of 1460 bytes.
For example, your data might be affected by a latency in interrupt request
servicing. Packet capture performance is better with large Ethernet frames
than with small frames. It is possible the Broadcom cards generate a high
number of interrupt requests, as is the case with certain gigabit NICs,
resulting in inefficient packet capture. A breakdown in I/O external to
Snort might manifest itself as poor performance.
Without data describing interrupt states, I/O states, cpu and memory
utilization and packet capture statistics your question will only receive
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users