Snort mailing list archives
Re: Snort v2.7.0 improve performance with lowmem search method on pcap file!
From: "Colin Grady" <colin.grady () gmail com>
Date: Mon, 23 Jul 2007 11:02:34 -0500
To confirm, you're using stream4 with 2.6.1.5 and stream5 with 2.7.0? Thanks, Colin Grady On 7/22/07, rmkml <rmkml () free fr> wrote:
Hi Justin and Colin, Event missed by 270 are : 97 (spp_stream4) possible EVASIVE FIN 2 (spp_stream4) possible EVASIVE RST but v270 are 50% faster than 2615 ! Rmkml On Mon, 23 Jul 2007, Justin Heath wrote:Date: Mon, 23 Jul 2007 11:19:05 -0400 From: Justin Heath <justin.heath () gmail com> To: Colin Grady <colin.grady () gmail com> Cc: rmkml <rmkml () free fr>, Snort-users () lists sourceforge net, Snort-devel () lists sourceforge net Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search method on pcap file! Are you referring to rule or preprocessor/decoder alerts? How many individual alerts are present in 2.6.1.5 which are not present 2.7.0? Do you have pcaps associated with the individual alerts? If so, can you send them in to bugs () snort org along with the 2.6.1.5 and 2.7.0 conf file you are using along with any configure/make args you are using? Cheers, Justin Heath On 7/23/07, Colin Grady <colin.grady () gmail com> wrote:Rmkml, There are a different number of alerts being generated for 2.6.1.5 and 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced false-positives or misses? Have you looked at the alerts thats were generated in 2.6.1.5 but not 2.7.0 to validate/investigate the difference? Thanks, Colin Grady On 7/22/07, rmkml <rmkml () free fr> wrote:Hi, Snort v2.7.0 improve performance, on same pcap file: snort 2615 : 60s snort 270 : 30s search method used is lowmem and snort conf is similar (as possible), if I change to ac-bnfa, on same pcap file : snort 2615 : 62s snort 270 : 36s lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270. alert number: 270=25486,2615=25585 , test repeated 10x. tested on linux fedora core 7 x86 laptop plateform Best Regards Rmkml Crusoe Researches ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort v2.7.0 improve performance with lowmem search method on pcap file! rmkml (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Colin Grady (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Justin Heath (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! rmkml (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Colin Grady (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! rmkml (Jul 23)
- Message not available
- Fwd: Snort v2.7.0 improve performance with lowmem search method on pcap file! Justin Heath (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Justin Heath (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Marc Norton (Jul 23)
- Re: Snort v2.7.0 improve performance with lowmem search method on pcap file! Colin Grady (Jul 23)