[Snort-users] snort.conf "detection engine"

Joel Esler joel.esler at ...14399...
Tue Mar 30 19:04:19 EDT 2010

On Mar 30, 2010, at 6:39 PM, Mike Lococo wrote:
>> basicly low->high mem and low->high performance or combinations there of.
>> What would be considered 'low' or for that matter 'high', with current
>> multi-core systems, is this setting still valid/useful? Or should it
>> just be left to default? for that matter what is default, as I don't see
>> that mentioned.
> It's pretty load dependent.  You can tell what you're running by 
> watching the snort startup output and looking for "Search Info Summary". 
>  I believe that ac-bnfa is default in the current stable snort, 
> although I don't think that has always been the case.
> I don't have a link handy, but when I researched this a few months ago I 
> believe I found a posting from a SourceFire employee suggesting that the 
> difference in performance between the best and worst algorithms were on 
> the order of 10%, but that the memory usage for ac (fastest and the 
> biggest memory hog) could be hundreds of megs or even over a gig for big 
> (gigabit-ish) links... which is much worse than similarly fast 
> lower-memory alternatives like ac-bnfa.
> I'm currently using ac-bnfa with a 300-400megabit link, and memory usage 
> is roughly 1.5G for a snort process, with a little over 2/3rds of that 
> going to stream and frag preprocessors.  I decided that the likely 
> single-digit performance gains going from ac-bnfa to ac were not worth 
> the time to test and extra memory overhead to me.

I generally recommend ac-bnfa across the board.  Until you get to 2.8.6.  2.8.6 has an optimized one, I haven't tested in my network yet though.

Joel Esler

More information about the Snort-users mailing list