[Snort-users] 2.1.3rc1 Performance

Dirk Geschke Dirk_Geschke at ...1344...
Wed May 19 08:13:22 EDT 2004

Hi Gary,

> The rules were the same, i just changed the link to the snort binary, so 
> that's not it. 

that's good. 

> Did pcre get rewritten, because it's been supported for a while now??? 

I am not sure, but I fear it is a performance penalty to use regular
expressions to match against a network packet.

> As for the libpcap question, i'll try to find out, because someone else 
> compiled the 2.1.1 binary on a different machine.  But the 2.1.3rc1 that I 
> compiled, libpcap is the most recent version 0.8.3.  In fact, i can almost 
> quarantee that it was a different version since 0.8.3 was released on 
> March 30 and I've had the 2.1.1 binary since before then.  But shouldn't 
> the newer version of libpcap be faster and more efficient?

Yes and no. But sometimes newer releases introduces newer bugs/problems.
(So maybe this counts for snort too.)

It also depends on your operating system. If you use linux then you should
use the ring buffere libpcap version of Phil Wood at 


With older libpcap versions on linux I have seen some strange interpretation
of statistics and especially the RedHat version used a complete different
kind how statistics are counted.

Maybe you should recompile the old snort version with the actual libpcap
and try this version again to have a "real" comparison?

Best regards


More information about the Snort-users mailing list