[Snort-users] cpu usage by component
omd1 at ...1712...
Tue Sep 9 05:08:10 EDT 2003
I'm wondering if anybody has done Snort benchmarks to see how much of the CPU
time is used by the rules engine, the stream4 preprocessor, frag2, and the
cost of all the interrupts for each packet.
I know the real answer is "it depends" -- it depends on what rules your
running and what your network looks like. What I'm looking for is rough
order of magnitude kind of stuff where the rule base is the standard Snort
rule base (the one I get when I download snort) on a "typical" (admitedly
poorly defined) network. Clearly there are extremes in network types. A
network running a web server serving many small pages will have more but
shorter streams for stream4 to reconstruct than an ftp server serving giant
files. If this makes a hugh difference in the cpu resources required by
stream4 that'd be interesting. If it doesn't make much difference that would
also be interesting. I also know that the output plugins make a big
difference so lets take them out of the equation.
The question is, relative to one another, how much time does the rules engine,
the various cpu intensive preprocessors and the user/kernal boundry crossing
require? Does stream4 use 10 times as much cpu as the rules engine? Is most
of the cpu time spent getting packets from the NIC, through the kernel and
into user space?
More information about the Snort-users