[Snort-users] Pattern Matcher Performance (config detection)

Mike Lococo mikelococo at ...11827...
Thu Feb 24 16:55:31 EST 2011


On 02/24/2011 04:30 PM, Martin Holste wrote:
> Got it, that all agrees with my experiences as well.  So, now I'm
> interested in your report that you got a 30% CPU savings with ac-nq.
> What is your exact config statement?

config detection: search-method ac-nq search-optimize max-pattern-len 20

The only thing that changed between these runs is the search-method.  It
was also running on a live-link which may display minor traffic
variation, and measurements were just done by visually averaging htop
bars over a few minutes.  This wasn't a rigorous benchmark at all.

That said, I reproduced it several times and the difference was fairly
striking.  Again, perfprofiling reports that >80% of the CPU time for
snort is spent in the MPSE due to my very large ruleset, so I may be a
fairly extreme case.

Cheers,
Mike Lococo




More information about the Snort-users mailing list