Snort mailing list archives

Re: Average delay per packet observation

From: Navdeep Uniyal <Navdeep.Uniyal () neclab eu>
Date: Fri, 7 Jul 2017 11:46:04 +0000

Hi Patrick,

Thanks for your reply.
For the experiment, I am running 15 iterations and the traffic size is approximately 675Kb/sec. I am using D-ITG 
traffic generator to measure my results. Each packet is of 1500bytes. Snort is running inline in a docker container 
pinned to a single CPU.
Could you also please explain a bit more on “rules option tree and fast pattern matcher”.


Best Regards,
Navdeep

From: Patrick Mullen [mailto:pmullen () sourcefire com]
Sent: Freitag, 7. Juli 2017 13:33
To: Navdeep Uniyal
Cc: snort-devel () lists snort org; Steve Sturges (ststurge)
Subject: Re: [Snort-devel] Average delay per packet observation

Because of the rules option tree, your "halved" theory doesn't work.  Also, because of the fast pattern matcher, what 
rules are evaluated is further complicated.

Of greater interest is (assuming I'm reading the results correctly) is how far different your results are for 80 rules. 
 How are you getting your numbers?  How much traffic are you passing? How many iterations of your test are you running? 
 With small, short tests, many things can skew results, especially on multiuser systems.


Thanks,

Patrick

On Jul 7, 2017 4:53 AM, "Navdeep Uniyal" <Navdeep.Uniyal () neclab eu<mailto:Navdeep.Uniyal () neclab eu>> wrote:
Thank you for your reply.

In my case I am using a set of 5 rules repeated over(with different sid). So approximately each set should take the 
same amount of time relatively.
Example: 80 rules have (16*5) rules
                    40 rules have (8*5) rules
                    20 rules have (4*5) rules
                    10 rules have (2*5) rules

By this way, I assume the delay should get halved in each case from 80 to 40. But this is not happening as we can see 
from the results. Could you please help me in getting the explanation.


Best Regards,
Navdeep

From: Steven Sturges [mailto:ststurge () cisco com<mailto:ststurge () cisco com>]
Sent: Mittwoch, 5. Juli 2017 13:43
To: Navdeep Uniyal; snort-devel () lists snort org<mailto:snort-devel () lists snort org>
Subject: Re: [Snort-devel] Average delay per packet observation


Rules are not processed sequentially.  Your expectations should depend on the nature of the

individual rules themselves.
On 7/4/17 10:16 AM, Navdeep Uniyal wrote:
Hello everyone,

I got some interesting results running snort (inline) for experiment with 80, 40, 20, 10 number of rules:
All rules are matching all the incoming UDP packets. Below are the average delay per packet I found in the 4 
experiments:

80 rules:              Average delay:  0.000680666813409 seconds
40 rules:              Average delay:  2.06440535385e-08 seconds
20 rules:              Average delay:  1.6644513569e-08   seconds
10 rules:              Average delay:  1.43723338507e-08 seconds

These results are quite confusing as I expect, on decreasing from 80 to 40 rules the average delay should be 
approximately halved. But I can’t see such behavior here.

What could be the possible reason, if someone could explain.



Best Regards,
Navdeep




_______________________________________________

Snort-devel mailing list

Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>

https://lists.snort.org/mailman/listinfo/snort-devel



Please visit http://blog.snort.org for the latest news about Snort!


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Average delay per packet observation Navdeep Uniyal (Jul 04)
- Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 05)
  - Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
    - Re: Average delay per packet observation Patrick Mullen (Jul 07)
    - Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
    - Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
    - Re: Average delay per packet observation Navdeep Uniyal (Jul 07)
    - Re: Average delay per packet observation Steven Sturges via Snort-devel (Jul 07)
    - Re: Average delay per packet observation Navdeep Uniyal (Jul 10)
    - Re: Average delay per packet observation Joshua Kinard via Snort-devel (Jul 07)