Snort mailing list archives
Re: Huge performance drop for Snort-2.9.4
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Thu, 7 Feb 2013 15:08:13 -0500
Hello, Can you please send us the configure options you used with both releases? ipv6 was enabled by default in 2.9.1 and hardened in the release 2.9.4. Thanks -Bhagya On Thu, Feb 7, 2013 at 7:04 AM, abed mohammad kamaluddin <abedamu () gmail com>wrote:
Hi, While upgrading from 2.9.0.4 to 2.9.4, there is huge performance drop. I have compiled both sources using the same libraries, same compiler options (default) and am running in the same environment using exactly the same configuration and rule files. There is anything between 15 - 40 % decrease in performance depending upon the traffic. I used Intel(R) Xeon(R) CPU X5650 @2.67GHz and daq pcap for the tests. However live traffic also gives than 20% drop in performance. Similar behavior is also seen on MIPs cpu. Here are the observations: Pcap with no alerts, uniform large-sized half-million UDP pkts snort-2.9.0.4 - 1692 Mbps snort-2.9.4 - 1364 Mbps (~20% drop) Pcap with one alert - non-uniform small-sized TCP pkts snort-2.9.0.4 254 Mbps snort-2.9.4 163 Mbps (~35 % drop) This is easily reproducible using all types of traffic. Just to make sure, I also tried 2.9.3.1 and it gave me good performance equivalent to 2.9.0.4. So the reduction has crept up in 2.9.4 itself. I haven't explored it, but maybe consolidation of IPv6 is the cause? My earlier mail regarding optimization (http://seclists.org/snort/2013/q1/195) has the same proportionate performance enhancement on both 2.9.4 and 2.9.0.4. Thanks, Abed M K ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Huge performance drop for Snort-2.9.4 abed mohammad kamaluddin (Feb 07)
- Re: Huge performance drop for Snort-2.9.4 Bhagya Bantwal (Feb 07)
- Re: Huge performance drop for Snort-2.9.4 abed mohammad kamaluddin (Feb 08)
- Re: Huge performance drop for Snort-2.9.4 Bhagya Bantwal (Feb 07)