[Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

Colin Grady colin.grady at ...11827...
Mon Jul 23 10:57:12 EDT 2007


Rmkml,

There are a different number of alerts being generated for 2.6.1.5 and
2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
false-positives or misses? Have you looked at the alerts thats were
generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
difference?

Thanks,

Colin Grady


On 7/22/07, rmkml <rmkml at ...953...> wrote:
> Hi,
> Snort v2.7.0 improve performance, on same pcap file:
>   snort 2615 : 60s
>   snort 270  : 30s
> search method used is lowmem and snort conf is similar (as possible),
>
> if I change to ac-bnfa, on same pcap file :
>   snort 2615 : 62s
>   snort 270  : 36s
>
> lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
> alert number: 270=25486,2615=25585 , test repeated 10x.
> tested on linux fedora core 7 x86 laptop plateform
> Best Regards
> Rmkml
> Crusoe Researches
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list