Snort mailing list archives

Re: Performance comparison between V2 and V3

From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Tue, 19 Feb 2019 15:16:26 -0500

Hi Jeon,

We will be pushing to github some configs and scripts that will help geta good comparison of Snort 2 and Snort 3. Have a look at thesnort3_demo repo in the next day or so and let us know what you find.


Thanks
Russ

On 2/19/19 1:24 AM, Min-gyu Jeon via Snort-devel wrote:

Hi All,

I had some performance tests, and want to discuss it with snort community.

* WARN: This is not a conclusion *

On my first trial, it seems that SnortV2 with multi process performsbetter than SnortV3 with multithread.


Do users experience same results?
Or is it my misconfiguration or misunderstanding?

Any supplements or similar test results would be very helpful for thenext trials.

Here are my settings and results.

=========== settings ===========
V2 version: v2.9.11.1
V3 version: build 250

DAQ: afpacket, 24 processes (V3: 24 threads), fanout by hash
Mode: IDS mode

V2 Rule: No rules
V3 Rule: No rules

V3 Config: Converted V2 config by snort2lua

CPU: Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz
NIC: Intel 10G card (Silicom), PE210G2BPI9 Ethernet Bypass
(used only 1 interface)

Traffic generation:
- tcpreplay-edit => 700K pps (*1 interface*)

Traffic info:
- real traffic capture (11 sec)
- about 340K packets and 13k sessions
- HTTP dominant (more than 60%)

============================

=========== results ===========
(V2: 1 Process) vs (V3: 1 Thread)
=> V2: 148K pps (CPU usage: 100%)
=> V3: 26K pps (CPU usage: 80%)

(V2: 24 Process) vs (V3: 24 Thread)
=> V2: 700K pps, full processing (CPU usage: 1500%)
=> V3: 540K pps (CPU usage: 2359%)
============================

Additional notes:

With same community rules (V2)
According to Snort profiling, the ratio of time spent in modules is

V2: Detection : TCPstream  = 1 : 1
V3: Detection : TCPstream = 2 : 1

With this, possibilities are
1. misconfiguration on detection engine in V3
2. V3 actually process more than V2 when in detection

which do Snort users think is more possible?

--
Sincerely,
Jeon

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Performance comparison between V2 and V3 Min-gyu Jeon via Snort-devel (Feb 18)
- Re: Performance comparison between V2 and V3 Russ via Snort-devel (Feb 19)
  - Re: Performance comparison between V2 and V3 Russ via Snort-devel (Feb 20)
- <Possible follow-ups>
- Re: Performance comparison between V2 and V3 Min-gyu Jeon via Snort-devel (Feb 21)