Snort mailing list archives
Re: snort.conf "detection engine"
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Wed, 31 Mar 2010 09:01:14 -0400
"memory usage for ac (fastest and the biggest memory hog) could be hundreds of megs or even over a gig for big (gigabit-ish) links..." You don't need a lot of traffic with ac to use a lot of memory. On one segment I'm using ac on we see between 10-20Mb/s and my snort process is using ~2300MB of memory. Thx, Wally On Tue, Mar 30, 2010 at 6:39 PM, Mike Lococo <mikelococo () gmail com> wrote:
basicly low->high mem and low->high performance or combinations there of. What would be considered 'low' or for that matter 'high', with current multi-core systems, is this setting still valid/useful? Or should it just be left to default? for that matter what is default, as I don't see that mentioned.It's pretty load dependent. You can tell what you're running by watching the snort startup output and looking for "Search Info Summary". I believe that ac-bnfa is default in the current stable snort, although I don't think that has always been the case. I don't have a link handy, but when I researched this a few months ago I believe I found a posting from a SourceFire employee suggesting that the difference in performance between the best and worst algorithms were on the order of 10%, but that the memory usage for ac (fastest and the biggest memory hog) could be hundreds of megs or even over a gig for big (gigabit-ish) links... which is much worse than similarly fast lower-memory alternatives like ac-bnfa. I'm currently using ac-bnfa with a 300-400megabit link, and memory usage is roughly 1.5G for a snort process, with a little over 2/3rds of that going to stream and frag preprocessors. I decided that the likely single-digit performance gains going from ac-bnfa to ac were not worth the time to test and extra memory overhead to me. Thanks, Mike Lococo ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf "detection engine" Franklin Jones (Mar 30)
- Re: snort.conf "detection engine" Mike Lococo (Mar 30)
- Re: snort.conf "detection engine" Joel Esler (Mar 30)
- Re: snort.conf "detection engine" Jason Wallace (Mar 31)
- Re: snort.conf "detection engine" Mike Lococo (Mar 30)