[Snort-users] 2.1.3rc1 Performance

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed May 19 09:32:11 EDT 2004


FWIW, I've tested 2.1.3 (latest from cvs) on a link pushing about 40k
packets per second (400Mbps).   No dropped packets.   Machine is a
@$2500 machine with built in gig interfaces. 

-----Original Message-----
From: Dirk Geschke [mailto:Dirk_Geschke at ...1344...] 
Sent: Wednesday, May 19, 2004 10:12 AM
To: Gary_Portnoy at ...11307...
Cc: Dirk Geschke; snort-users at lists.sourceforge.net;
Dirk_Geschke at ...1344...
Subject: Re: [Snort-users] 2.1.3rc1 Performance 

Hi Gary,

> The rules were the same, i just changed the link to the snort binary,
so 
> that's not it. 

that's good. 

> Did pcre get rewritten, because it's been supported for a while now???


I am not sure, but I fear it is a performance penalty to use regular
expressions to match against a network packet.

> As for the libpcap question, i'll try to find out, because someone
else 
> compiled the 2.1.1 binary on a different machine.  But the 2.1.3rc1
that I 
> compiled, libpcap is the most recent version 0.8.3.  In fact, i can
almost 
> quarantee that it was a different version since 0.8.3 was released on 
> March 30 and I've had the 2.1.1 binary since before then.  But
shouldn't 
> the newer version of libpcap be faster and more efficient?

Yes and no. But sometimes newer releases introduces newer bugs/problems.
(So maybe this counts for snort too.)

It also depends on your operating system. If you use linux then you
should
use the ring buffere libpcap version of Phil Wood at 

      http://public.lanl.gov/cpw/

With older libpcap versions on linux I have seen some strange
interpretation
of statistics and especially the RedHat version used a complete
different
kind how statistics are counted.

Maybe you should recompile the old snort version with the actual libpcap
and try this version again to have a "real" comparison?

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list