[Snort-users] 2.1.3rc1 Performance

snort user snortuser at ...125...
Thu May 20 08:34:16 EDT 2004


I use the .0.8.x branch of lipcap so Im not sure if this applies to earlier 
branches but all the following has been verified for this branch.

I actually noticed this a long time ago and a few other bugs maybe I should 
get on the devel list.
The stats are being reported inaccurately in the util.c file. Heres part of 
the problem

-- code snip --
"Snort analyzed %u out of %u packets, ",
                    ps.ps_recv, ps.ps_recv+ps.ps_drop);
- end snip--

ps_recv is the total packet recevied (meaning recieved and dropped)
ps_drop is the total dropped

So this is an inaccurate reading. The reallly bad thing is that whatever 
packet loss it tells you is actually worse since it uses 
(packets_dropped/(total_packet+packet_dropped)). Which is increasing the 
total packets it thinks its see. So if you seeing 40% packet loss is more 
like 66%.

Ive been doing extensive tests with snort lately and ive determined that 
even on a linux system with very high perfomance hardware you can really get 
more than 200 Mb/s without dropping packets unless you really limit your 
rules and remove preprocessors such as stream4 and frag2. There really needs 
to be a better pattern matching and optimization for snort to not drop so 
many packets.

Id be interested in hearing any schemes or ideas  people have tried for 
improving the performance of snort on linux.

Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 

More information about the Snort-users mailing list