For the second set of test runs only the wget and wget_mtuslide. The tcpreplay of udp packets was seen as a traffic stream that was too artifical to get usefull numbers only for the packet plumbing from the testrig. Because of this the maximal speeds for snort_inline.null have been revised down. The differences are discussed below. The patch loops were taken out of these runs because they are much greater and distracting from the metrics being focused on.

Metric	Device Under Test	Configuration	Traffic type
Packets / Sec outofdut
Mbits / Sec outofdut

By selectivly pairing up the configfiles performance and computing there differences in both configuration and performance we can begin to get a better understanding of the performance implications for each configuration option. Below are tables of the differences of the maximal packets persecond and mbits per second for each of the above runs.

Relative performance by configuration

Differences in Pkts/sec byconfig (snmp outofdut ) config intel_dual realtek_dual snort_inline.perfmonitor - snort_inline.null -2.00 / -6.73 % -0.30 / -1.51 % snort_inline.vars - snort_inline.perfmonitor -3.80 / -13.72 % -0.80 / -4.08 % snort_inline.checksums - snort_inline.vars 4.00 / 16.74 % 1.50 / 7.98 % snort_inline.flow - snort_inline.checksums -3.80 / -13.62 % -0.30 / -1.48 % snort_inline.stream4 - snort_inline.flow -7.40 / -30.71 % -5.10 / -25.50 % snort_inline.stream4_webperproc - snort_inline.stream4 0.60 / 3.59 % 0.00 / 0.00 % snort_inline.all_preproc - snort_inline.stream4_webperproc -3.20 / -18.50 % -1.70 / -11.41 % snort_inline.web_rules - snort_inline.all_preproc 0.50 / 3.55 % 0.00 / 0.00 % snort_inline.all - snort_inline.web_rules -0.20 / -1.37 % 0.30 / 2.27 % snort_inline.bleeding - snort_inline.all 0.10 / 0.69 % -0.30 / -2.22 %

Differences in Mbits/sec byconfig (snmp outofdut ) config intel_dual realtek_dual snort_inline.perfmonitor - snort_inline.null -11.00 / -6.01 % -2.00 / -1.60 % snort_inline.vars - snort_inline.perfmonitor 2.00 / 1.16 % 4.00 / 3.25 % snort_inline.checksums - snort_inline.vars 3.00 / 1.72 % 7.00 / 5.51 % snort_inline.flow - snort_inline.checksums -24.00 / -13.56 % -11.00 / -8.21 % snort_inline.stream4 - snort_inline.flow -44.00 / -28.76 % -31.30 / -25.45 % snort_inline.stream4_webperproc - snort_inline.stream4 -6.00 / -5.50 % -0.20 / -0.22 % snort_inline.all_preproc - snort_inline.stream4_webperproc -24.80 / -24.08 % -20.30 / -22.19 % snort_inline.web_rules - snort_inline.all_preproc 10.40 / 13.30 % 10.40 / 14.61 % snort_inline.all - snort_inline.web_rules 1.10 / 1.24 % 0.00 / 0.00 % snort_inline.bleeding - snort_inline.all 0.10 / 0.11 % 3.50 / 4.29 %

For each row of the table, there are two configurations being compared. For example snort_inline.vars - snort_inline.null. If the values in the table are negative snort_inline.vars is slower, and the negative value is by how much. The percentage is a relative performance differance based on the second config file. So in this case snort_inline.vars is 3.7 Kpkts /sec slower than snort_inline.null on the intel_dual DUT. Likewise there is a 5.94% mbit/sec degredation.

In some cases, there is a performance boost. Sometimes this may be due to measurement variablity and sometimes this is due to maximal numbers being not as usefull as they should be. As a later example will show, snort_inline.all and snort_inline.bleeding are not as simmilar in performance as the maximal numbers may lead you to believe.

Configname	# lines	# vars	# preprocs	rules	Preprocessors
snort_inline.null.conf	0	0	0	0
snort_inline.vars.conf	8	7	1	0	preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.checksums.conf	12	10	1	0	preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.flow.conf	14	11	2	0	preprocessor flow: stats_interval 5 hash 2 preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.stream4.conf	15	11	3	0	preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.stream4_webperproc.conf	17	11	5	0	preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.all_preproc.conf	22	11	10	0	preprocessor flow: stats_interval 5 hash 2 preprocessor stream4: disable_evasion_alerts, stream4inline preprocessor stream4_reassemble: both preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.web_rules.conf	1118	11	10	1054	preprocessor flow: stats_interval 5 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.all.conf	2244	11	10	2180	preprocessor flow: stats_interval 5 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000
snort_inline.bleeding.conf	955	12	10	888	preprocessor flow: stats_interval 5 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } preprocessor perfmonitor: time 5 file /var/snort/snort.stats pktcnt 10000

One quick tangential result. Because we are nolonger using UDP, our maximal values for snort_inline.null have been revised down. For a more in depth disucssion of why this happned check out the quick tangent.

• The realtek gigabit cards / network devices are uniformly slower. To be fair the intel cards cost about twice as much, the clear price performance winner is the realteks. Note: NAPI was disabled on the realteks due to instability problems.
• The most that can be reasonibly expected out of a snort_inline host configured as these were, with traffic as these were is somewhere in the 10-15 Kpkts / sec and the 80-90 Mbit/sec range.
• For the traffic patterns and rule sets used here, the rules and preprocessors took up about the same relative percentage of performance.