[Snort-users] Pattern Matcher Performance (config detection)
alan.ptak at ...11827...
Thu Feb 24 15:07:19 EST 2011
Great info, thanks for sharing.
It would be useful to have a collection of performance reports like this one available for general reference ... not that i'm volunteering to host or maintain it ...
On Feb 24, 2011, at 11:37 AM, Mike Lococo wrote:
> Hi Folks,
> I just wanted to throw out a report on some quick tests I did on
> pattern-matcher performance. In the past, I've read to expect only a
> few percent different in performance by selecting different pattern
> matchers, but in certain circumstances it can be much larger.
> * I run a large ruleset of over 7000 rules from VRT and ET on a link
> that peaks at about 1.8gigabits per second each day.
> * Running snort compiled with --enable-perfprofiling shows
> that the pattern-matcher accounts for about 80% of snort's
> CPU time using ac-split.
> * Switching from ac-split to ac-bnfa increased by CPU usage by
> about 20%, but decreased ram usage by a few hundred megs per process.
> * Switching from ac-split to ac-nq decreased CPU usage by about 30%,
> but increased RAM usage by some unknown amount. I actually use almost
> all my ram with ac-split and ac-nq starts swapping before memory usage
> levels off. However, it takes an hour or two to ramp up to that
> point, during which I was able to make informal comparisons.
> I'm sure these results come as no surprise to folks with a deep
> understanding of the pattern-matcher, but I've never seen even informal
> test results before and was surprised how much of an impact it had in my
> environment. If you run a large (multi-thousand rule) ruleset and
> haven't experimented with pattern-matcher selection, I suggest you do.
> Conversely, if you run a small ruleset (or if perfprofiling shows the
> pattern matcher accounts for a small part of your CPU-load) then there's
> probably very little to be gained or lost.
> Mike Lococo
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
E: alan.ptak at ...11827...
More information about the Snort-users