Snort mailing list archives
RE: 2.1.3rc1 Performance
From: "snort user" <snortuser () hotmail com>
Date: Wed, 19 May 2004 22:11:50 +0000
Hi,I use the .0.8.x branch of lipcap so Im not sure if this applies to earlier branches but all the following has been verified for this branch.
I actually noticed this a long time ago and a few other bugs maybe I should get on the devel list. The stats are being reported inaccurately in the util.c file. Heres part of the problem
-- code snip --
"Snort analyzed %u out of %u packets, ",
ps.ps_recv, ps.ps_recv+ps.ps_drop);
- end snip--
ps_recv is the total packet recevied (meaning recieved and dropped)
ps_drop is the total dropped
So this is an inaccurate reading. The reallly bad thing is that whatever
packet loss it tells you is actually worse since it uses
(packets_dropped/(total_packet+packet_dropped)). Which is increasing the
total packets it thinks its see. So if you seeing 40% packet loss is more
like 66%.
Ive been doing extensive tests with snort lately and ive determined that even on a linux system with very high perfomance hardware you can really get more than 200 Mb/s without dropping packets unless you really limit your rules and remove preprocessors such as stream4 and frag2. There really needs to be a better pattern matching and optimization for snort to not drop so many packets.
Id be interested in hearing any schemes or ideas people have tried for improving the performance of snort on linux.
_________________________________________________________________Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.click-url.com/go/onm00200362ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortCenter-Acid-SuSE byte_test issue, (continued)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- Re: SnortCenter-Acid-SuSE byte_test issue AJ Butcher, Information Systems and Computing (May 20)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Darren Webb (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance John Creegan (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance snort user (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)