[Snort-users] snort.conf "detection engine"

Mike Lococo mikelococo at ...11827...
Tue Mar 30 18:39:51 EDT 2010

> basicly low->high mem and low->high performance or combinations there of.
> What would be considered 'low' or for that matter 'high', with current
> multi-core systems, is this setting still valid/useful? Or should it
> just be left to default? for that matter what is default, as I don't see
> that mentioned.

It's pretty load dependent.  You can tell what you're running by 
watching the snort startup output and looking for "Search Info Summary". 
  I believe that ac-bnfa is default in the current stable snort, 
although I don't think that has always been the case.

I don't have a link handy, but when I researched this a few months ago I 
believe I found a posting from a SourceFire employee suggesting that the 
difference in performance between the best and worst algorithms were on 
the order of 10%, but that the memory usage for ac (fastest and the 
biggest memory hog) could be hundreds of megs or even over a gig for big 
(gigabit-ish) links... which is much worse than similarly fast 
lower-memory alternatives like ac-bnfa.

I'm currently using ac-bnfa with a 300-400megabit link, and memory usage 
is roughly 1.5G for a snort process, with a little over 2/3rds of that 
going to stream and frag preprocessors.  I decided that the likely 
single-digit performance gains going from ac-bnfa to ac were not worth 
the time to test and extra memory overhead to me.

Mike Lococo

More information about the Snort-users mailing list