Snort mailing list archives
Re: Average delay per packet observation
From: Patrick Mullen <pmullen () sourcefire com>
Date: Fri, 7 Jul 2017 07:32:34 -0400
Because of the rules option tree, your "halved" theory doesn't work. Also, because of the fast pattern matcher, what rules are evaluated is further complicated. Of greater interest is (assuming I'm reading the results correctly) is how far different your results are for 80 rules. How are you getting your numbers? How much traffic are you passing? How many iterations of your test are you running? With small, short tests, many things can skew results, especially on multiuser systems. Thanks, Patrick On Jul 7, 2017 4:53 AM, "Navdeep Uniyal" <Navdeep.Uniyal () neclab eu> wrote:
Thank you for your reply.
In my case I am using a set of 5 rules repeated over(with different sid).
So approximately each set should take the same amount of time relatively.
Example: 80 rules have (16*5) rules
40 rules have (8*5) rules
20 rules have (4*5) rules
10 rules have (2*5) rules
By this way, I assume the delay should get halved in each case from 80 to
40. But this is not happening as we can see from the results. Could you
please help me in getting the explanation.
Best Regards,
Navdeep
*From:* Steven Sturges [mailto:ststurge () cisco com]
*Sent:* Mittwoch, 5. Juli 2017 13:43
*To:* Navdeep Uniyal; snort-devel () lists snort org
*Subject:* Re: [Snort-devel] Average delay per packet observation
Rules are not processed sequentially. Your expectations should depend on
the nature of the
individual rules themselves.
On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
Hello everyone,
I got some interesting results running snort (inline) for experiment with
80, 40, 20, 10 number of rules:
All rules are matching all the incoming UDP packets. Below are the average
delay per packet I found in the 4 experiments:
80 rules: Average delay: 0.000680666813409 seconds
40 rules: Average delay: 2.06440535385e-08 seconds
20 rules: Average delay: 1.6644513569e-08 seconds
10 rules: Average delay: 1.43723338507e-08 seconds
These results are quite confusing as I expect, on decreasing from 80 to 40
rules the average delay should be approximately halved. But I can’t see
such behavior here.
What could be the possible reason, if someone could explain.
Best Regards,
*Navdeep*
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Average delay per packet observation Navdeep Uniyal (Jul 04)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 05)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Patrick Mullen (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 10)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Joshua Kinard via Snort-devel (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 05)