Testing Snort's Pattern Matching Performance

[Rayne <hjazz6 () ymail com>]

Hi,

I'm trying to test the performance of Snort's pattern matching engine, and I have the following 10 rules ($EXTERNAL_NET 
and $HOME_NET are both set to any):

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"he"; content:"he"; sid:1000001; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"VIS"; content:"VIS"; sid:1000002; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"}"; content:"}"; sid:1000003; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BO"; content:"BO"; sid:1000004; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"1"; content:"1"; sid:1000005; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"er"; content:"er"; sid:1000006; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"protocol"; content:"protocol"; sid:1000007; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"@"; content:"@"; sid:1000008; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"s}"; content:"s}"; sid:1000009; rev:1)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"WEIGHT"; content:"WEIGHT"; sid:1000010; rev:1)

I know they're extreme in the sense that all IP packets would be matched and the contents are short strings. But I'm 
just testing how fast Snort can match these patterns, not whether these patterns are realistic or not.

I've turned off all the preprocessors (e.g. frag3, stream5 etc), leaving only perfmonitor:
(in snort.conf) preprocessor perfmonitor: time 10 file /var/snort/snort.stats pktcnt 10000

> From what I understand, all the patterns will be put in the fast pattern matcher since each rule consists of only 1 
> content option, and the AC algorithm is run as default. When a pattern matches, Boyer-Moore will be used to match that 
> pattern against the entire payload (since there are no content modifiers) again. So each matching string is actually 
> matched twice, once using AC, and another time using Boyer-Moore.

I passed in 780122 packets from a pcap file using Tcpreplay at a rate of 97 Mbps, and ran snort as such:
snort -i eth0 -c /etc/snort/snort.conf -N -A none

Snort gave the following statistics:

Received: 780067
Analyzed: 780065 (100.000%)
Dropped: 0 (0.000%)
Outstanding: 2 (0.000%)

My questions are:

1) Why didn't Snort receive all 780122 packets? If I used a higher rate, snort would receive even fewer packets. If I 
turn off the perfmonitor preprocessor, I can get 780067 packets @ 119 Mbps.
2) What are "outstanding" packets?
3) Is the rate of 119 Mbps (without perfmonitor) reasonable or should a higher rate be expected? Ideally I would like 
it to be faster, but I don't know if that's possible.
4) Are there any ways to improve the performance, i.e. receive all packets at a higher rate using the same rules? For 
example, turn off the Boyer-Moore matching process if there is only one content option and no content modifier in the 
matching rule? Or by using certain options?

Also, I tried to stop Snort by pressing Ctrl-C after Tcpreplay has finished sending all 780122 packets, but Snort just 
sort of hangs there without exiting and showing the statistics. I have to run tcpreplay again and then snort exits and 
displays the statistics. Why is that?

Thank you.

Regards,
Rayne



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users