Re: [Snort-users] Snort v2.7.0 improve performance with lowmem
This is a discussion on Re: [Snort-users] Snort v2.7.0 improve performance with lowmem within the Snort forums, part of the System Security and Security Related category; yes On Mon, 23 Jul 2007, Colin Grady wrote: > Date: Mon, 23 Jul 2007 11:02:34 -0500 > ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-23-2007
|
|||
|
|||
Re: [Snort-users] Snort v2.7.0 improve performance with lowmem
yes
On Mon, 23 Jul 2007, Colin Grady wrote: > Date: Mon, 23 Jul 2007 11:02:34 -0500 > From: Colin Grady <colin.grady@gmail.com> > To: rmkml <rmkml@free.fr> > Cc: Justin Heath <justin.heath@gmail.com>, Snort-users@lists.sourceforge.net, > Snort-devel@lists.sourceforge.net > Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search > method on pcap file! > > To confirm, you're using stream4 with 2.6.1.5 and stream5 with 2.7.0? > > Thanks, > Colin Grady > > > On 7/22/07, rmkml <rmkml@free.fr> wrote: >> Hi Justin and Colin, >> Event missed by 270 are : >> 97 (spp_stream4) possible EVASIVE FIN >> 2 (spp_stream4) possible EVASIVE RST >> but v270 are 50% faster than 2615 ! >> Rmkml >> >> >> On Mon, 23 Jul 2007, Justin Heath wrote: >> >> > Date: Mon, 23 Jul 2007 11:19:05 -0400 >> > From: Justin Heath <justin.heath@gmail.com> >> > To: Colin Grady <colin.grady@gmail.com> >> > Cc: rmkml <rmkml@free.fr>, Snort-users@lists.sourceforge.net, >> > Snort-devel@lists.sourceforge.net >> > Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem >> search >> > method on pcap file! >> > >> > Are you referring to rule or preprocessor/decoder alerts? How many >> > individual alerts are present in 2.6.1.5 which are not present 2.7.0? >> > Do you have pcaps associated with the individual alerts? If so, can >> > you send them in to bugs@snort.org along with the 2.6.1.5 and 2.7.0 >> > conf file you are using along with any configure/make args you are >> > using? >> > >> > >> > Cheers, >> > Justin Heath >> > >> > On 7/23/07, Colin Grady <colin.grady@gmail.com> wrote: >> >> Rmkml, >> >> >> >> There are a different number of alerts being generated for 2.6.1.5 and >> >> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced >> >> false-positives or misses? Have you looked at the alerts thats were >> >> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the >> >> difference? >> >> >> >> Thanks, >> >> >> >> Colin Grady >> >> >> >> >> >> On 7/22/07, rmkml <rmkml@free.fr> wrote: >> >> > Hi, >> >> > Snort v2.7.0 improve performance, on same pcap file: >> >> > snort 2615 : 60s >> >> > snort 270 : 30s >> >> > search method used is lowmem and snort conf is similar (as possible), >> >> > >> >> > if I change to ac-bnfa, on same pcap file : >> >> > snort 2615 : 62s >> >> > snort 270 : 36s >> >> > >> >> > lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270. >> >> > alert number: 270=25486,2615=25585 , test repeated 10x. >> >> > tested on linux fedora core 7 x86 laptop plateform >> >> > Best Regards >> >> > Rmkml >> >> > Crusoe Researches >> >> > >> >> > >> ------------------------------------------------------------------------- >> >> > This SF.net email is sponsored by: Splunk Inc. >> >> > Still grepping through log files to find problems? Stop. >> >> > Now Search log events and configuration files using AJAX and a >> browser. >> >> > Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> > _______________________________________________ >> >> > Snort-users mailing list >> >> > Snort-users@lists.sourceforge.net >> >> > Go to this URL to change user options or unsubscribe: >> >> > https://lists.sourceforge.net/lists/...fo/snort-users >> >> > Snort-users list archive: >> >> > http://www.geocrawler.com/redir-sf.p...st=snort-users >> >> > >> >> >> >> >> ------------------------------------------------------------------------- >> >> This SF.net email is sponsored by: Splunk Inc. >> >> Still grepping through log files to find problems? Stop. >> >> Now Search log events and configuration files using AJAX and a browser. >> >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> >> _______________________________________________ >> >> Snort-users mailing list >> >> Snort-users@lists.sourceforge.net >> >> Go to this URL to change user options or unsubscribe: >> >> https://lists.sourceforge.net/lists/...fo/snort-users >> >> Snort-users list archive: >> >> http://www.geocrawler.com/redir-sf.p...st=snort-users >> >> >> > >> > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
