[Snort-users] Pattern Matcher Performance (config detection)
mikelococo at ...11827...
Thu Feb 24 17:44:03 EST 2011
On 02/24/2011 05:15 PM, Martin Holste wrote:
>> config detection: search-method ac-nq search-optimize max-pattern-len 20
> Ok, looks like a pretty standard config, then. I'm going to try to
> see if I can replicate your results.
I look forward to hearing someone else's experience on-list.
>> That said, I reproduced it several times and the difference was fairly
>> striking. Again, perfprofiling reports that >80% of the CPU time for
>> snort is spent in the MPSE due to my very large ruleset, so I may be a
>> fairly extreme case.
> I think this is the standard use case. My impression is that many
> (most?) users run at least a few thousand rules, and that means that
> the pattern matcher is doing almost all of the work. That's why I get
> concerned when people talk about pcap buffers, etc. because it implies
> that you can boost your sustained performance by boosting the buffers...
Agreed, big buffers don't help you if you can't keep up with your
average bandwidth. I use them to even out traffic spikes and allow me
to run closer to 100% cpu-utilization during my daily-peak while
worrying less about short-duration spikes causing dropped packets.
More information about the Snort-users