Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort.conf "detection engine"

From: Mike Lococo <mikelococo () gmail com>
Date: Tue, 30 Mar 2010 18:39:51 -0400
basicly low->high mem and low->high performance or combinations there of.
What would be considered 'low' or for that matter 'high', with current
multi-core systems, is this setting still valid/useful? Or should it
just be left to default? for that matter what is default, as I don't see
that mentioned.


It's pretty load dependent.  You can tell what you're running by 
watching the snort startup output and looking for "Search Info Summary". 
  I believe that ac-bnfa is default in the current stable snort, 
although I don't think that has always been the case.

I don't have a link handy, but when I researched this a few months ago I 
believe I found a posting from a SourceFire employee suggesting that the 
difference in performance between the best and worst algorithms were on 
the order of 10%, but that the memory usage for ac (fastest and the 
biggest memory hog) could be hundreds of megs or even over a gig for big 
(gigabit-ish) links... which is much worse than similarly fast 
lower-memory alternatives like ac-bnfa.

I'm currently using ac-bnfa with a 300-400megabit link, and memory usage 
is roughly 1.5G for a snort process, with a little over 2/3rds of that 
going to stream and frag preprocessors.  I decided that the likely 
single-digit performance gains going from ac-bnfa to ac were not worth 
the time to test and extra memory overhead to me.

Thanks,
Mike Lococo

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: