Re: Pattern Matcher Performance (config detection)

[Alan Ptak <alan.ptak () gmail com>]

Great info, thanks for sharing. 

It would be useful to have a collection of performance reports like this one available for general reference ... not 
that i'm volunteering to host or maintain it ... 


On Feb 24, 2011, at 11:37 AM, Mike Lococo wrote:

> Hi Folks,
>
> I just wanted to throw out a report on some quick tests I did on
> pattern-matcher performance.  In the past, I've read to expect only a
> few percent different in performance by selecting different pattern
> matchers, but in certain circumstances it can be much larger.
>
> * I run a large ruleset of over 7000 rules from VRT and ET on a link
>  that peaks at about 1.8gigabits per second each day.
> * Running snort compiled with --enable-perfprofiling shows
>  that the pattern-matcher accounts for about 80% of snort's
>  CPU time using ac-split.
> * Switching from ac-split to ac-bnfa increased by CPU usage by
>  about 20%, but decreased ram usage by a few hundred megs per process.
> * Switching from ac-split to ac-nq decreased CPU usage by about 30%,
>  but increased RAM usage by some unknown amount.  I actually use almost
>  all my ram with ac-split and ac-nq starts swapping before memory usage
>  levels off.  However, it takes an hour or two to ramp up to that
>  point, during which I was able to make informal comparisons.
>
> I'm sure these results come as no surprise to folks with a deep
> understanding of the pattern-matcher, but I've never seen even informal
> test results before and was surprised how much of an impact it had in my
> environment.  If you run a large (multi-thousand rule) ruleset and
> haven't experimented with pattern-matcher selection, I suggest you do.
>
> Conversely, if you run a small ruleset (or if perfprofiling shows the
> pattern matcher accounts for a small part of your CPU-load) then there's
> probably very little to be gained or lost.
>
> Cheers,
> Mike Lococo
>
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in 
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business 
> insights. http://p.sf.net/sfu/splunk-dev2dev 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Alan Ptak
V: 310.488.8606
E: alan.ptak () gmail com


------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users