[Snort-users] 2.1.3rc1 Performance
snortuser at ...125...
Thu May 20 08:34:16 EDT 2004
I use the .0.8.x branch of lipcap so Im not sure if this applies to earlier
branches but all the following has been verified for this branch.
I actually noticed this a long time ago and a few other bugs maybe I should
get on the devel list.
The stats are being reported inaccurately in the util.c file. Heres part of
-- code snip --
"Snort analyzed %u out of %u packets, ",
- end snip--
ps_recv is the total packet recevied (meaning recieved and dropped)
ps_drop is the total dropped
So this is an inaccurate reading. The reallly bad thing is that whatever
packet loss it tells you is actually worse since it uses
(packets_dropped/(total_packet+packet_dropped)). Which is increasing the
total packets it thinks its see. So if you seeing 40% packet loss is more
Ive been doing extensive tests with snort lately and ive determined that
even on a linux system with very high perfomance hardware you can really get
more than 200 Mb/s without dropping packets unless you really limit your
rules and remove preprocessors such as stream4 and frag2. There really needs
to be a better pattern matching and optimization for snort to not drop so
Id be interested in hearing any schemes or ideas people have tried for
improving the performance of snort on linux.
Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage!
More information about the Snort-users