Forgot to CC list.
---------- Forwarded message ----------
From: Justin Heath <justin.heath@gmail.com>
Date: Jul 23, 2007 12:02 PM
Subject: Re: [Snort-users] Snort v2.7.0 improve performance with
lowmem search method on pcap file!
To: rmkml <rmkml@free.fr>
rmkml,
Are you still using stream4 in 270 or are you using stream5?
Cheers,
Justin
On 7/22/07, rmkml <rmkml@free.fr> wrote:
Hi Justin and Colin,
Event missed by 270 are :
97 (spp_stream4) possible EVASIVE FIN
2 (spp_stream4) possible EVASIVE RST
but v270 are 50% faster than 2615 !
Rmkml
On Mon, 23 Jul 2007, Justin Heath wrote:
Date: Mon, 23 Jul 2007 11:19:05 -0400
From: Justin Heath <justin.heath@gmail.com>
To: Colin Grady <colin.grady@gmail.com>
Cc: rmkml <rmkml@free.fr>, Snort-users@lists.sourceforge.net,
Snort-devel@lists.sourceforge.net
Subject: Re: [Snort-users] Snort v2.7.0 improve performance with lowmem
search
method on pcap file!
Are you referring to rule or preprocessor/decoder alerts? How many
individual alerts are present in 2.6.1.5 which are not present 2.7.0?
Do you have pcaps associated with the individual alerts? If so, can
you send them in to bugs@snort.org along with the 2.6.1.5 and 2.7.0
conf file you are using along with any configure/make args you are
using?
Cheers,
Justin Heath
On 7/23/07, Colin Grady <colin.grady@gmail.com> wrote:
Rmkml,
There are a different number of alerts being generated for 2.6.1.5 and
2.7.0 -- 99 more in 2.6.1.5. Is this a representation of reduced
false-positives or misses? Have you looked at the alerts thats were
generated in 2.6.1.5 but not 2.7.0 to validate/investigate the
difference?
Thanks,
Colin Grady
On 7/22/07, rmkml <rmkml@free.fr> wrote:
Hi,
Snort v2.7.0 improve performance, on same pcap file:
snort 2615 : 60s
snort 270 : 30s
search method used is lowmem and snort conf is similar (as possible),
if I change to ac-bnfa, on same pcap file :
snort 2615 : 62s
snort 270 : 36s
lowmem use 103Mo of memory and acbnfa use 111Mo on snort 270.
alert number: 270=25486,2615=25585 , test repeated 10x.
tested on linux fedora core 7 x86 laptop plateform
Best Regards
Rmkml
Crusoe Researches
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
