[Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file!

Colin Grady colin.grady at ...11827...
Mon Jul 23 12:02:34 EDT 2007


To confirm, you're using stream4 with 2.6.1.5 and stream5 with 2.7.0?

Thanks,
Colin Grady


On 7/22/07, rmkml <rmkml at ...953...> wrote:
> Hi Justin and Colin,
> Event missed by 270 are :
>       97 (spp_stream4) possible EVASIVE FIN
>        2 (spp_stream4) possible EVASIVE RST
> but v270 are 50% faster than 2615 !
> Rmkml
>
>
> On Mon, 23 Jul 2007, Justin Heath wrote:
>
> > Date: Mon, 23 Jul 2007 11:19:05 -0400
> > From: Justin Heath <justin.heath at ...11827...>
> > To: Colin Grady <colin.grady at ...11827...>
> > Cc: rmkml <rmkml at ...953...>, Snort-users at lists.sourceforge.net,
> >     Snort-devel at lists.sourceforge.net
> > Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search
> >      method on pcap file!
> >
> > Are you referring to rule or preprocessor/decoder alerts? How many
> > individual alerts are present in 2.6.1.5 which are not present 2.7.0?
> > Do you have pcaps associated with the individual alerts? If so, can
> > you send them in to bugs at ...950... along with the 2.6.1.5 and 2.7.0
> > conf file you are using along with any configure/make args you are
> > using?
> >
> >
> > Cheers,
> > Justin Heath
> >
> > On 7/23/07, Colin Grady <colin.grady at ...11827...> wrote:
> >> Rmkml,
> >>
> >> There are a different number of alerts being generated for 2.6.1.5 and
> >> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
> >> false-positives or misses? Have you looked at the alerts thats were
> >> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
> >> difference?
> >>
> >> Thanks,
> >>
> >> Colin Grady
> >>
> >>
> >> On 7/22/07, rmkml <rmkml at ...953...> wrote:
> >> > Hi,
> >> > Snort v2.7.0 improve performance, on same pcap file:
> >> >   snort 2615 : 60s
> >> >   snort 270  : 30s
> >> > search method used is lowmem and snort conf is similar (as possible),
> >> >
> >> > if I change to ac-bnfa, on same pcap file :
> >> >   snort 2615 : 62s
> >> >   snort 270  : 36s
> >> >
> >> > lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
> >> > alert number: 270=25486,2615=25585 , test repeated 10x.
> >> > tested on linux fedora core 7 x86 laptop plateform
> >> > Best Regards
> >> > Rmkml
> >> > Crusoe Researches
> >> >
> >> > -------------------------------------------------------------------------
> >> > This SF.net email is sponsored by: Splunk Inc.
> >> > Still grepping through log files to find problems?  Stop.
> >> > Now Search log events and configuration files using AJAX and a browser.
> >> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >>
> >> -------------------------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc.
> >> Still grepping through log files to find problems?  Stop.
> >> Now Search log events and configuration files using AJAX and a browser.
> >> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
>




More information about the Snort-users mailing list