Re: [Snort-users] Snort v2.7.0 improve performance with lowmem
This is a discussion on Re: [Snort-users] Snort v2.7.0 improve performance with lowmem within the Snort forums, part of the System Security and Security Related category; Wow, 50% faster...? FYI: ac-bnfa can be slower at startup, but as far as we know, is always faster ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-23-2007
|
|||
|
|||
Re: [Snort-users] Snort v2.7.0 improve performance with lowmem
Wow, 50% faster...?
FYI: ac-bnfa can be slower at startup, but as far as we know, is always faster than lowmem at run-time. rmkml wrote: > Hi Justin and Colin, > Event missed by 270 are : > 97 (spp_stream4) possible EVASIVE FIN > 2 (spp_stream4) possible EVASIVE RST > but v270 are 50% faster than 2615 ! > Rmkml > > > On Mon, 23 Jul 2007, Justin Heath wrote: > >> Date: Mon, 23 Jul 2007 11:19:05 -0400 >> From: Justin Heath <justin.heath@gmail.com> >> To: Colin Grady <colin.grady@gmail.com> >> Cc: rmkml <rmkml@free.fr>, Snort-users@lists.sourceforge.net, >> Snort-devel@lists.sourceforge.net >> Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem search >> method on pcap file! >> >> Are you referring to rule or preprocessor/decoder alerts? How many >> individual alerts are present in 2.6.1.5 which are not present 2.7.0? >> Do you have pcaps associated with the individual alerts? If so, can >> you send them in to bugs@snort.org along with the 2.6.1.5 and 2.7.0 >> conf file you are using along with any configure/make args you are >> using? >> >> >> Cheers, >> Justin Heath >> >> On 7/23/07, Colin Grady <colin.grady@gmail.com> wrote: >>> Rmkml, >>> >>> There are a different number of alerts being generated for 2.6.1.5 and >>> 2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced >>> false-positives or misses? Have you looked at the alerts thats were >>> generated in 2.6.1.5 but not 2.7.0 to validate/investigate the >>> difference? >>> >>> Thanks, >>> >>> Colin Grady >>> >>> >>> On 7/22/07, rmkml <rmkml@free.fr> wrote: >>>> Hi, >>>> Snort v2.7.0 improve performance, on same pcap file: >>>> snort 2615 : 60s >>>> snort 270 : 30s >>>> search method used is lowmem and snort conf is similar (as possible), >>>> >>>> if I change to ac-bnfa, on same pcap file : >>>> snort 2615 : 62s >>>> snort 270 : 36s >>>> >>>> lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270. >>>> alert number: 270=25486,2615=25585 , test repeated 10x. >>>> tested on linux fedora core 7 x86 laptop plateform >>>> Best Regards >>>> Rmkml >>>> Crusoe Researches >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by: Splunk Inc. >>>> Still grepping through log files to find problems? Stop. >>>> Now Search log events and configuration files using AJAX and a browser. >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>> _______________________________________________ >>>> Snort-users mailing list >>>> Snort-users@lists.sourceforge.net >>>> Go to this URL to change user options or unsubscribe: >>>> https://lists.sourceforge.net/lists/...fo/snort-users >>>> Snort-users list archive: >>>> http://www.geocrawler.com/redir-sf.p...st=snort-users >>>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Snort-users mailing list >>> Snort-users@lists.sourceforge.net >>> Go to this URL to change user options or unsubscribe: >>> https://lists.sourceforge.net/lists/...fo/snort-users >>> Snort-users list archive: >>> http://www.geocrawler.com/redir-sf.p...st=snort-users >>> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > -- Marc Norton Sourcefire,Inc 410-423-1924 www.snort.org www.sourcefire.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
