[Snort-users] Pattern Matcher Performance (config detection)

Mike Lococo mikelococo at ...11827...
Thu Feb 24 17:44:03 EST 2011

On 02/24/2011 05:15 PM, Martin Holste wrote:
>> config detection: search-method ac-nq search-optimize max-pattern-len 20
> Ok, looks like a pretty standard config, then.  I'm going to try to
> see if I can replicate your results.

I look forward to hearing someone else's experience on-list.

>> That said, I reproduced it several times and the difference was fairly
>> striking.  Again, perfprofiling reports that >80% of the CPU time for
>> snort is spent in the MPSE due to my very large ruleset, so I may be a
>> fairly extreme case.
> I think this is the standard use case.  My impression is that many
> (most?) users run at least a few thousand rules, and that means that
> the pattern matcher is doing almost all of the work.  That's why I get
> concerned when people talk about pcap buffers, etc. because it implies
> that you can boost your sustained performance by boosting the buffers...

Agreed, big buffers don't help you if you can't keep up with your
average bandwidth.  I use them to even out traffic spikes and allow me
to run closer to 100% cpu-utilization during my daily-peak while
worrying less about short-duration spikes causing dropped packets.

Mike Lococo

More information about the Snort-users mailing list