Hosting Provided By

[Snort-devel] benchmarking snort

From: Nathan Tuck <ntuck1(at)san.rr.com>
Date: Sun May 11 2003 - 18:12:15 EDT

Hi. I'm a new member to the list, but have been hacking on snort for a little while.

My question is this. If I make changes to the pattern matching engine and am interested in determining whether I have increased or decreased performance, what is the recommended way of going about measuring that?

I've tried dumping sneeze output to a file and also using defcon traces. However, it appears to me that snort performance in these two cases is really bottlenecked by my disk bandwidth, and logging output. Thus far I have been benching snort with -b -A fast, but as I mentioned, it still seems like most of the time spent is non pattern-matching overhead. Any other flags I should turn on?

What do other list members use for benchmarking pattern matching in snort? Any advice accepted.

Thanks,

nate

PS - Does anyone know why sneeze gets caught in an infinite loop on quite a number of the rules files?

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sun May 11 18:04:37 2003

This message: [ Message body ]
Next message: Eric Lauzon: "RE: [Snort-devel] benchmarking snort"
Previous message: Jason_Royes: "spp_frag2 bug (Re: [Snort-devel] IP dgm len < IP Hdr len Alert question)"
Next in thread: Eric Lauzon: "RE: [Snort-devel] benchmarking snort"
Reply: Eric Lauzon: "RE: [Snort-devel] benchmarking snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT

Do you need help?