|Main Archive Page > Month Archives > snort-devel archives|
Please have a look at the 22.214.171.124 version. 2.6.1 is well over a year old and significant performance improvements have been made in the newer versions.
> I am using Snort-126.96.36.199 version.
> The file I am referring to is the acsmx.c in src/sfutil and the function
> is acsmSearch() in it.
> On Thu, 2008-07-17 at 09:35 -0400, Steven Sturges wrote:
>> Hi Govind-- >> >> What version of Snort are you looking at? Snort 2.8.2 has some >> significant changes to how a matching end-state is processed >> that address the exact question you raise. >> >> The rules must be evaluated during processing of the packet, >> and cannot easily be done offline. >> >> Cheers >> -steve >> >> Govind wrote: >>> Greetings all, >>> >>> I am studying the performance of the pattern-matching module in snort. >>> In particular, I am studying the performance of the Aho-Corasick >>> automaton based search. >>> >>> >>> I would like to know if in case of a pattern-match do actions >>> corresponding to rules need to be done at wire-speeds. The traversal of >>> the Aho-Corasick automaton needs to be done at the incoming line-rate. >>> But do the actions that correspond to each node - an alert or a packet >>> log-also need to be done at wire-speeds. >>> >>> >>> The reason I am asking is because I have noticed that there are nodes >>> with multiple matches. These multiple matches are stored as linked >>> list. I also observe that this can have a performance impact. >>> Can these actions be done offline and not at the line-rate? >>> >>> >>> >>> Regards >>> Govind >>> >>>
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-devel mailing list