[Snort-users] snort 2.0 performance evaluation

Jeff Nathan jeff at ...950...
Tue Jun 3 13:28:06 EDT 2003

Hash: SHA1

- --On Wednesday, June 4, 2003 0:22 +0800 "Terence R.T. Liu" 
<tie19858 at ...9364...> wrote:

> We downloaded the latest snort 2.0 and put it into a P4 IPC w/ PCI-X bus
> and 2 broadcom gigabit  NICs. Then we tested it w/ IXIA http generator to
> evaluate the performance and throughput. However, the average throughput
> is pretty lower from 18Mbps (packet size is 128 bytes) to 80 Mbps (packet
> size is 1460 bytes). The number of enabled rule is about 1,300.
> Since the current version has employ the Wu's algorithm to handle the
> multiple-pattern matching, we assumed the performance should be boosted.
> Does anyone figure this out? Does the testing result sound reasonable?
> Thanks,
> Terry.


Can you provide detailed data from your testing?  It is difficult to 
provide an answer without a complete set of data.  Snort has many 
components, several of which must be examined in order to determine which 
of them (if any) is degrading performance.

As I understand it, you have observed detection rates of 18Mb/sec with an 
Ethernet frame size of 128 bytes and 80Mb/sec with an Ethernet frame size 
of 1460 bytes.

For example, your data might be affected by a latency in interrupt request 
servicing.  Packet capture performance is better with large Ethernet frames 
than with small frames.  It is possible the Broadcom cards generate a high 
number of interrupt requests, as is the case with certain gigabit NICs, 
resulting in inefficient packet capture.  A breakdown in I/O external to 
Snort might manifest itself as poor performance.

Without data describing interrupt states, I/O states, cpu and memory 
utilization   and packet capture statistics your question will only receive 
spurious answers.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
Version: GnuPG v1.2.1 (Darwin)


More information about the Snort-users mailing list