[Snort-users] snort.conf "detection engine"
joel.esler at ...14399...
Tue Mar 30 19:04:19 EDT 2010
On Mar 30, 2010, at 6:39 PM, Mike Lococo wrote:
>> basicly low->high mem and low->high performance or combinations there of.
>> What would be considered 'low' or for that matter 'high', with current
>> multi-core systems, is this setting still valid/useful? Or should it
>> just be left to default? for that matter what is default, as I don't see
>> that mentioned.
> It's pretty load dependent. You can tell what you're running by
> watching the snort startup output and looking for "Search Info Summary".
> I believe that ac-bnfa is default in the current stable snort,
> although I don't think that has always been the case.
> I don't have a link handy, but when I researched this a few months ago I
> believe I found a posting from a SourceFire employee suggesting that the
> difference in performance between the best and worst algorithms were on
> the order of 10%, but that the memory usage for ac (fastest and the
> biggest memory hog) could be hundreds of megs or even over a gig for big
> (gigabit-ish) links... which is much worse than similarly fast
> lower-memory alternatives like ac-bnfa.
> I'm currently using ac-bnfa with a 300-400megabit link, and memory usage
> is roughly 1.5G for a snort process, with a little over 2/3rds of that
> going to stream and frag preprocessors. I decided that the likely
> single-digit performance gains going from ac-bnfa to ac were not worth
> the time to test and extra memory overhead to me.
I generally recommend ac-bnfa across the board. Until you get to 2.8.6. 2.8.6 has an optimized one, I haven't tested in my network yet though.
More information about the Snort-users