Performance increase while duplicating processes

[Jonathan Saint-Léger <tan.saintleger () gmail com>]

Hi all,

I'm (still) working on getting the best out of Snort, and I found out that
Sourcefire's rules got a great speed increase while using host attribute
tables (smaller drop rate), but Emerging Threats rules were not as faster as
Sourcefire's (even after adding the metadata:service to every possible ET
rule, based on the port field of the headers).

So my idea was to use two Snort processes, one loaded with ET rules and the
other one with VRT rules, so that the VRT rules don't suffer from  ET rules
"latency".

I was surprised by the very nice figures measured (with the pfring
information data placed in /proc/net/pf_ring/<pid>.<nic> ) so I decided to
do a trivial test: use one single snort configuration, measure the drop rate
when launching 1 snort process, and measure the drop rate of this snort
config when launching several identical snort processes. Since I'm working
on a dual quad-core, I launched 9 processes for the second test, expecting
to see a substantial increase in drops for this second test.

For the first result, I measured around 30% of drops (Tot pkt Lost / Tot
Packets of the pf_ring data), and for the second test, each snort process
had around 20% of drops.
(The machine I am working on is a dual Xeon E5345 with 8gig Ram, on a
gigabit network.)


Is there any explanation about these strange results? Did anybody already
faced the same situtation?

thx in advance,

--
Jonathan Saint-Léger

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel