Snort mailing list archives
Re: Pattern Matcher Performance (config detection)
From: Martin Holste <mcholste () gmail com>
Date: Thu, 24 Feb 2011 14:30:19 -0600
* I run a large ruleset of over 7000 rules from VRT and ET on a link that peaks at about 1.8gigabits per second each day. * Running snort compiled with --enable-perfprofiling shows that the pattern-matcher accounts for about 80% of snort's CPU time using ac-split. * Switching from ac-split to ac-bnfa increased by CPU usage by about 20%, but decreased ram usage by a few hundred megs per process. * Switching from ac-split to ac-nq decreased CPU usage by about 30%, but increased RAM usage by some unknown amount.
So are you inferring that you are running 7000 rules on a 1.8 gig link on a single snort instance and aren't always at 100% CPU? If that's the case, then either you have very little HTTP traffic in your 1.8 gig link, or you're not monitoring what you think you're monitoring (BPF filtering, etc.). Any Snort instance with more than 1000 rules will be overwhelmed at 200-300 Mb/sec of HTTP traffic no matter which pattern matcher you're using. You can up your Mb/sec a bit with an Endace card, PF_RING, and a few other tricks, but you can't even run 1.8 gig through the preprocessors without hitting 100% CPU. I would love to be wrong about this, but it's going to take a lot to convince me that you're achieving anywhere near that throughput on a single instance. ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pattern Matcher Performance (config detection) Mike Lococo (Feb 24)
- Re: Pattern Matcher Performance (config detection) Alan Ptak (Feb 24)
- Re: Pattern Matcher Performance (config detection) Martin Holste (Feb 24)
- Re: Pattern Matcher Performance (config detection) Mike Lococo (Feb 24)
- Re: Pattern Matcher Performance (config detection) Martin Holste (Feb 24)
- Re: Pattern Matcher Performance (config detection) Mike Lococo (Feb 24)
- Re: Pattern Matcher Performance (config detection) Martin Holste (Feb 24)
- Re: Pattern Matcher Performance (config detection) Mike Lococo (Feb 24)
- Re: Pattern Matcher Performance (config detection) Mike Lococo (Feb 24)