[Snort-users] Testing Snort's Pattern Matching Performance

Rayne hjazz6 at ...14432...
Wed Oct 22 04:42:04 EDT 2008


Hi,

I'm trying to test the performance of Snort's pattern matching engine, and I have the following 10 rules ($EXTERNAL_NET and $HOME_NET are both set to any):

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"he"; content:"he"; sid:1000001; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"VIS"; content:"VIS"; sid:1000002; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"}"; content:"}"; sid:1000003; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BO"; content:"BO"; sid:1000004; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"1"; content:"1"; sid:1000005; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"er"; content:"er"; sid:1000006; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"protocol"; content:"protocol"; sid:1000007; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"@"; content:"@"; sid:1000008; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"s}"; content:"s}"; sid:1000009; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"WEIGHT"; content:"WEIGHT"; sid:1000010; rev:1)

I know they're extreme in the sense that all IP packets would be matched and the contents are short strings. But I'm just testing how fast Snort can match these patterns, not whether these patterns are realistic or not.

I've turned off all the preprocessors (e.g. frag3, stream5 etc), leaving only perfmonitor:
(in snort.conf) preprocessor perfmonitor: time 10 file /var/snort/snort.stats pktcnt 10000

>From what I understand, all the patterns will be put in the fast pattern matcher since each rule consists of only 1 content option, and the AC algorithm is run as default. When a pattern matches, Boyer-Moore will be used to match that pattern against the entire payload (since there are no content modifiers) again. So each matching string is actually matched twice, once using AC, and another time using Boyer-Moore.

I passed in 780122 packets from a pcap file using Tcpreplay at a rate of 97 Mbps, and ran snort as such:
snort -i eth0 -c /etc/snort/snort.conf -N -A none

Snort gave the following statistics:

Received: 780067
Analyzed: 780065 (100.000%)
Dropped: 0 (0.000%)
Outstanding: 2 (0.000%)

My questions are:

1) Why didn't Snort receive all 780122 packets? If I used a higher rate, snort would receive even fewer packets. If I turn off the perfmonitor preprocessor, I can get 780067 packets @ 119 Mbps.
2) What are "outstanding" packets?
3) Is the rate of 119 Mbps (without perfmonitor) reasonable or should a higher rate be expected? Ideally I would like it to be faster, but I don't know if that's possible.
4) Are there any ways to improve the performance, i.e. receive all packets at a higher rate using the same rules? For example, turn off the Boyer-Moore matching process if there is only one content option and no content modifier in the matching rule? Or by using certain options?

Also, I tried to stop Snort by pressing Ctrl-C after Tcpreplay has finished sending all 780122 packets, but Snort just sort of hangs there without exiting and showing the statistics. I have to run tcpreplay again and then snort exits and displays the statistics. Why is that?

Thank you.

Regards,
Rayne



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081022/d0e3e7df/attachment.html>


More information about the Snort-users mailing list