[Snort-users] Pattern Matcher Performance (config detection)

Martin Holste mcholste at ...11827...
Thu Feb 24 15:30:19 EST 2011

> * I run a large ruleset of over 7000 rules from VRT and ET on a link
>  that peaks at about 1.8gigabits per second each day.
> * Running snort compiled with --enable-perfprofiling shows
>  that the pattern-matcher accounts for about 80% of snort's
>  CPU time using ac-split.
> * Switching from ac-split to ac-bnfa increased by CPU usage by
>  about 20%, but decreased ram usage by a few hundred megs per process.
> * Switching from ac-split to ac-nq decreased CPU usage by about 30%,
>  but increased RAM usage by some unknown amount.

So are you inferring that you are running 7000 rules on a 1.8 gig link
on a single snort instance and aren't always at 100% CPU?  If that's
the case, then either you have very little HTTP traffic in your 1.8
gig link, or you're not monitoring what you think you're monitoring
(BPF filtering, etc.).  Any Snort instance with more than 1000 rules
will be overwhelmed at 200-300 Mb/sec of HTTP traffic no matter which
pattern matcher you're using.  You can up your Mb/sec a bit with an
Endace card, PF_RING, and a few other tricks, but you can't even run
1.8 gig through the preprocessors without hitting 100% CPU.  I would
love to be wrong about this, but it's going to take a lot to convince
me that you're achieving anywhere near that throughput on a single

More information about the Snort-users mailing list