Snort mailing list archives

Re: PATCH: more compact ac-bnfa trans list

From: Fingle Nark <finglenark () gmail com>
Date: Thu, 28 Oct 2010 13:48:51 +0100

On Wed, Oct 27, 2010 at 10:30 PM, Russ Combs <rcombs () sourcefire com> wrote:

Thanks for submitting the patch.  It certainly looks interesting.  I'm going
to bug this internally so it can fall into the standard development cycle.

Do you have any supporting data I can add to this?


Testing with snort 2.9.0 and snortrules-snapshot-2900 (27 Sep 2010 version),
I built snort with the configure options specified in etc/snort.conf in the
snortrules package.

The only change I made in snort.conf was to use the ac-bnfa matcher:

config detection: search-method ac-bnfa-q search-optimize max-pattern-len 20

Without the patch:

+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 788
| Patterns         : 151368
| Pattern Chars    : 1590373
| Num States       : 1176067
| Num Match States : 142329
| Memory           :   26.66Mbytes
|   Patterns       :   4.98M
|   Match Lists    :   7.40M
|   Transitions    :   14.10M
+-------------------------------------------------

With the patch:

+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 788
| Patterns         : 151368
| Pattern Chars    : 1590373
| Num States       : 1176067
| Num Match States : 142329
| Memory           :   22.72Mbytes
|   Patterns       :   4.98M
|   Match Lists    :   7.40M
|   Transitions    :   10.15M
+-------------------------------------------------

The "Transitions" memory was reduced by 3.95M from 14.10M to 10.15M, which
is a 28% saving.

I ran both versions over a pcap file (mostly http and smb traffic) a bunch
of times, and saw no correlation between patched/unpatched and the amount
of CPU time used.


~~finglenark

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

PATCH: more compact ac-bnfa trans list Fingle Nark (Oct 27)
- Re: PATCH: more compact ac-bnfa trans list Russ Combs (Oct 27)
  - Re: PATCH: more compact ac-bnfa trans list Fingle Nark (Oct 28)