Performance Measurements

Testbed description

The testbed for performing the measurements looks like the following:

Name, IP-Address	Hardware	Software	Function
gauss, 192.168.0.1	Pentium II, 200 MHz, 192 MB RAM	SuSE Linux 6.4	Send data as fast as possible using tcpreplay to pp305
pp305, 192.168.0.2	Pentium III, 550 MHz, 256 MB RAM	SuSE Linux 8.0	Run Snort and try to analyze as many packets as possible

Both machines were connected via a direct fast Ethernet (100 Mbps) connection that was loaded about 25% during the test.
The software for doing the performance measurements basically contains:

• Software for initiating the sending of data (on gauss and pp305)

• Snort and Snort-NG, which are run with the parameters (on pp305 only)

                    -N -A none (logging disabled, no output).

• Management software( mostly scripts, contolling nr. of. tests at each point, range testing, visualization), run on pp305

Results

This section shows comparisons between Snort-1.8.6 and Snort-1.8.6-NG. We measured the precentage of all packets sent by gauss that have been analyzed at pp305.

Test Case 1:

tcpdump-file:    outside.tcpdump, 68640558 bytes, May 5th, 1998
                        taken from MIT Lincoln Labs Evaluation Data

• This graph shows the results for Snort and Snort-NG with the clustering algorithm and parallel string matching enabled.

• This graph shows the impact of parallel string matching by comparing a version of Snort-NG with this feature enabled to one that uses sequential string matching (i.e. one string after the other).

Test Case 2:

tcpdump-file:    border.tcpdump1, 137121512 bytes, Aug. 29th, 2002
                        traffic captured at the institute's firewall during a period of 24 hours

• This graph shows the results for Snort and Snort-NG with the clustering algorithm and parallel string matching enabled.

---

Snort-NG Maintainer