Snort mailing list archives
Re: Average delay per packet observation
From: Navdeep Uniyal <Navdeep.Uniyal () neclab eu>
Date: Fri, 7 Jul 2017 08:52:16 +0000
Thank you for your reply.
In my case I am using a set of 5 rules repeated over(with different sid). So approximately each set should take the
same amount of time relatively.
Example: 80 rules have (16*5) rules
40 rules have (8*5) rules
20 rules have (4*5) rules
10 rules have (2*5) rules
By this way, I assume the delay should get halved in each case from 80 to 40. But this is not happening as we can see
from the results. Could you please help me in getting the explanation.
Best Regards,
Navdeep
From: Steven Sturges [mailto:ststurge () cisco com]
Sent: Mittwoch, 5. Juli 2017 13:43
To: Navdeep Uniyal; snort-devel () lists snort org
Subject: Re: [Snort-devel] Average delay per packet observation
Rules are not processed sequentially. Your expectations should depend on the nature of the
individual rules themselves.
On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
Hello everyone,
I got some interesting results running snort (inline) for experiment with 80, 40, 20, 10 number of rules:
All rules are matching all the incoming UDP packets. Below are the average delay per packet I found in the 4
experiments:
80 rules: Average delay: 0.000680666813409 seconds
40 rules: Average delay: 2.06440535385e-08 seconds
20 rules: Average delay: 1.6644513569e-08 seconds
10 rules: Average delay: 1.43723338507e-08 seconds
These results are quite confusing as I expect, on decreasing from 80 to 40 rules the average delay should be
approximately halved. But I can't see such behavior here.
What could be the possible reason, if someone could explain.
Best Regards,
Navdeep
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Average delay per packet observation Navdeep Uniyal (Jul 04)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 05)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Patrick Mullen (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 10)
- Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
- Re: Average delay per packet observation Joshua Kinard via Snort-devel (Jul 07)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 05)