cpu usage by component

[Oliver Dain <omd1 () cornell edu>]

I'm wondering if anybody has done Snort benchmarks to see how much of the CPU 
time is used by the rules engine, the stream4 preprocessor, frag2, and the 
cost of all the interrupts for each packet.

I know the real answer is "it depends" -- it depends on what rules your 
running and what your network looks like.  What I'm looking for is rough 
order of magnitude kind of stuff where the rule base is the standard Snort 
rule base (the one I get when I download snort) on a "typical" (admitedly 
poorly defined) network.  Clearly there are extremes in network types.  A 
network running a web server serving many small pages will have more but 
shorter streams for stream4 to reconstruct than an ftp server serving giant 
files.  If this makes a hugh difference in the cpu resources required by 
stream4 that'd be interesting.  If it doesn't make much difference that would 
also be interesting.  I also know that the output plugins make a big 
difference so lets take them out of the equation.  

The question is, relative to one another, how much time does the rules engine, 
the various cpu intensive preprocessors and the user/kernal boundry crossing 
require?  Does stream4 use 10 times as much cpu as the rules engine? Is most 
of the cpu time spent getting packets from the NIC, through the kernel and 
into user space?  



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users