Snort mailing list archives
Re: 2.1.3rc1 Performance
From: Gary_Portnoy () itginc com
Date: Wed, 19 May 2004 10:49:44 -0400
The rules were the same, i just changed the link to the snort binary, so that's not it. Did pcre get rewritten, because it's been supported for a while now??? As for the libpcap question, i'll try to find out, because someone else compiled the 2.1.1 binary on a different machine. But the 2.1.3rc1 that I compiled, libpcap is the most recent version 0.8.3. In fact, i can almost quarantee that it was a different version since 0.8.3 was released on March 30 and I've had the 2.1.1 binary since before then. But shouldn't the newer version of libpcap be faster and more efficient? -Gary- ------------------------------------------- Gary Portnoy Dirk Geschke <Dirk_Geschke () genua de> 05/19/2004 10:32 AM To: Gary_Portnoy () itginc com cc: snort-users () lists sourceforge net, Dirk_Geschke () genua de Subject: Re: [Snort-users] 2.1.3rc1 Performance Hi Gary,
Yesterday I replaced my 2.1.1RC1 build with 2.1.3RC1. Today I checked
the
perfmon stats and nearly fell off my chair. They are reporting that
snort
is dropping on average about 15% of traffic. With 2.1.1RC1 perfmon has always reported 0% pkts dropped and I believed it. Now I am seeing that
there are times when snort is dropping as much as 89%, and that is at times with only 0.9mbps throughput and using 11% of the cpu. Some other
times i am seeing drop rates of 12% with 5.1mbps throughput while using 77% of the cpu.
did you use the same rules on both versions? There are a lot of changes between these two versions especially an increase in the use of pcre... And did you also use the same libpcap? Best regards Dirk -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- This message is for the named person's use only. This communication is for informational purposes only and has been obtained from sources believed to be reliable, but it is not necessarily complete and its accuracy cannot be guaranteed. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Moreover, this material should not be construed to contain any recommendation regarding, or opinion concerning, any security. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ITG Inc. reserves the right to monitor and archive all electronic communications through its network. ITG Inc. Member NASD, SIPC -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.1.3rc1 Performance Gary_Portnoy (May 18)
- Re: 2.1.3rc1 Performance Dirk Geschke (May 19)
- <Possible follow-ups>
- Re: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- Re: 2.1.3rc1 Performance Dirk Geschke (May 19)
- Re: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- Re: SnortCenter-Acid-SuSE byte_test issue AJ Butcher, Information Systems and Computing (May 20)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
(Thread continues...)