[Snort-users] Pattern Matcher Performance (config detection)
mikelococo at ...11827...
Thu Feb 24 14:37:35 EST 2011
I just wanted to throw out a report on some quick tests I did on
pattern-matcher performance. In the past, I've read to expect only a
few percent different in performance by selecting different pattern
matchers, but in certain circumstances it can be much larger.
* I run a large ruleset of over 7000 rules from VRT and ET on a link
that peaks at about 1.8gigabits per second each day.
* Running snort compiled with --enable-perfprofiling shows
that the pattern-matcher accounts for about 80% of snort's
CPU time using ac-split.
* Switching from ac-split to ac-bnfa increased by CPU usage by
about 20%, but decreased ram usage by a few hundred megs per process.
* Switching from ac-split to ac-nq decreased CPU usage by about 30%,
but increased RAM usage by some unknown amount. I actually use almost
all my ram with ac-split and ac-nq starts swapping before memory usage
levels off. However, it takes an hour or two to ramp up to that
point, during which I was able to make informal comparisons.
I'm sure these results come as no surprise to folks with a deep
understanding of the pattern-matcher, but I've never seen even informal
test results before and was surprised how much of an impact it had in my
environment. If you run a large (multi-thousand rule) ruleset and
haven't experimented with pattern-matcher selection, I suggest you do.
Conversely, if you run a small ruleset (or if perfprofiling shows the
pattern matcher accounts for a small part of your CPU-load) then there's
probably very little to be gained or lost.
More information about the Snort-users