Snort mailing list archives
Performance increase while duplicating processes
From: Jonathan Saint-Léger <tan.saintleger () gmail com>
Date: Thu, 1 Jul 2010 18:15:35 +0200
Hi all, I'm (still) working on getting the best out of Snort, and I found out that Sourcefire's rules got a great speed increase while using host attribute tables (smaller drop rate), but Emerging Threats rules were not as faster as Sourcefire's (even after adding the metadata:service to every possible ET rule, based on the port field of the headers). So my idea was to use two Snort processes, one loaded with ET rules and the other one with VRT rules, so that the VRT rules don't suffer from ET rules "latency". I was surprised by the very nice figures measured (with the pfring information data placed in /proc/net/pf_ring/<pid>.<nic> ) so I decided to do a trivial test: use one single snort configuration, measure the drop rate when launching 1 snort process, and measure the drop rate of this snort config when launching several identical snort processes. Since I'm working on a dual quad-core, I launched 9 processes for the second test, expecting to see a substantial increase in drops for this second test. For the first result, I measured around 30% of drops (Tot pkt Lost / Tot Packets of the pf_ring data), and for the second test, each snort process had around 20% of drops. (The machine I am working on is a dual Xeon E5345 with 8gig Ram, on a gigabit network.) Is there any explanation about these strange results? Did anybody already faced the same situtation? thx in advance, -- Jonathan Saint-Léger
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Performance increase while duplicating processes Jonathan Saint-Léger (Jul 01)