[Snort-users] Pattern Matcher Performance (config detection)
mikelococo at ...11827...
Thu Feb 24 16:55:31 EST 2011
On 02/24/2011 04:30 PM, Martin Holste wrote:
> Got it, that all agrees with my experiences as well. So, now I'm
> interested in your report that you got a 30% CPU savings with ac-nq.
> What is your exact config statement?
config detection: search-method ac-nq search-optimize max-pattern-len 20
The only thing that changed between these runs is the search-method. It
was also running on a live-link which may display minor traffic
variation, and measurements were just done by visually averaging htop
bars over a few minutes. This wasn't a rigorous benchmark at all.
That said, I reproduced it several times and the difference was fairly
striking. Again, perfprofiling reports that >80% of the CPU time for
snort is spent in the MPSE due to my very large ruleset, so I may be a
fairly extreme case.
More information about the Snort-users