[Snort-users] snort.conf "detection engine"
mikelococo at ...11827...
Tue Mar 30 18:39:51 EDT 2010
> basicly low->high mem and low->high performance or combinations there of.
> What would be considered 'low' or for that matter 'high', with current
> multi-core systems, is this setting still valid/useful? Or should it
> just be left to default? for that matter what is default, as I don't see
> that mentioned.
It's pretty load dependent. You can tell what you're running by
watching the snort startup output and looking for "Search Info Summary".
I believe that ac-bnfa is default in the current stable snort,
although I don't think that has always been the case.
I don't have a link handy, but when I researched this a few months ago I
believe I found a posting from a SourceFire employee suggesting that the
difference in performance between the best and worst algorithms were on
the order of 10%, but that the memory usage for ac (fastest and the
biggest memory hog) could be hundreds of megs or even over a gig for big
(gigabit-ish) links... which is much worse than similarly fast
lower-memory alternatives like ac-bnfa.
I'm currently using ac-bnfa with a 300-400megabit link, and memory usage
is roughly 1.5G for a snort process, with a little over 2/3rds of that
going to stream and frag preprocessors. I decided that the likely
single-digit performance gains going from ac-bnfa to ac were not worth
the time to test and extra memory overhead to me.
More information about the Snort-users