[Snort-users] TCP stream processing performance

Kevin Wang kevin.wang at ...17580...
Tue Jun 28 08:55:40 EDT 2016


Thank you, Victor and Albert!

Is the flushing taking a lot of CPU time? The time spent (shown in the performance profile) is mostly on memory operation rather than CPU calculation, right?

Not sure if I expressed it clearly. The background is that I am currently starting to do some research on improving the overall intrusion detection performance and if necessary, we can use hardware acceleration on the processing. I know we can do some thing on the pattern matching side with extra hardware like TCAMs. However, for the preprocessor part, is there any way/need to improve it using extra special hardware other than more memory and processors?

Best Regards,
Kevin


From: Victor Roemer [mailto:viroemer at ...589...]
Sent: June 27, 2016 10:33 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] TCP stream processing performance


Hi Kevin,



You are correct, while there are additional overheads such as host tcp state emulation, preprocessor alerts and stream normalizations probably accurate to say that the actual reassembled packet flushing etc.. is the most intensive.
On 6/27/16 5:59 PM, Kevin Wang wrote:
Hello,

I am looking at Snort performance and I found that in the Preprocessor profile statistics, "s5" or "s5tcp" is taking a lot of time. My understanding is that s5tcp is for TCP stream reassembly and the time taking is mostly due to the buffering and mis-ordered packets. The actually processing by the CPU is relatively short. Is my understanding correct or there is other intense processing going on?

Thanks,
Kevin
Email Disclaimer & Confidentiality Notice
This message is confidential and intended solely for the use of the recipient to whom they are addressed. If you are not the intended recipient you should not deliver, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system. Copyright (c) 2016 by Istuary Innovation Labs, Inc. All rights reserved.





------------------------------------------------------------------------------

Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San

Francisco, CA to explore cutting-edge tech and listen to tech luminaries

present their vision of the future. This family event has something for

everyone, including kids. Get more information and register today.

http://sdm.link/attshape




_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

Email Disclaimer & Confidentiality Notice
This message is confidential and intended solely for the use of the recipient to whom they are addressed. If you are not the intended recipient you should not deliver, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system. Copyright (c) 2016 by Istuary Innovation Labs, Inc. All rights reserved.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160628/b31cb7c3/attachment.html>


More information about the Snort-users mailing list