Re: 2.1.3rc1 Performance

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Gary,

> The rules were the same, i just changed the link to the snort binary, so 
> that's not it. 

that's good. 

> Did pcre get rewritten, because it's been supported for a while now??? 

I am not sure, but I fear it is a performance penalty to use regular
expressions to match against a network packet.

> As for the libpcap question, i'll try to find out, because someone else 
> compiled the 2.1.1 binary on a different machine.  But the 2.1.3rc1 that I 
> compiled, libpcap is the most recent version 0.8.3.  In fact, i can almost 
> quarantee that it was a different version since 0.8.3 was released on 
> March 30 and I've had the 2.1.1 binary since before then.  But shouldn't 
> the newer version of libpcap be faster and more efficient?

Yes and no. But sometimes newer releases introduces newer bugs/problems.
(So maybe this counts for snort too.)

It also depends on your operating system. If you use linux then you should
use the ring buffere libpcap version of Phil Wood at 

      http://public.lanl.gov/cpw/

With older libpcap versions on linux I have seen some strange interpretation
of statistics and especially the RedHat version used a complete different
kind how statistics are counted.

Maybe you should recompile the old snort version with the actual libpcap
and try this version again to have a "real" comparison?

Best regards

Dirk



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users