Snort Search Method Differences
-
Hello Fellow Netgate Community Members,
I wanted to take the time to make a post about the differences between the search methods used with SNORT. If you can add to this and help with understanding, please reply.
"LOWMEM and AC-BNFA are recommended for low end systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found, AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, AC_BANDED: small memory, moderate performance, AC-SPARSEBANDS: small memory, high performance."
Quote reference is from older version of Pfsense
Default is set to AC-BNFA, however many forum posts recommend using AC-BNFA-NQ
-
@jonathanlee We usually use Suricata but occasionally Snort. Out of curiosity I tried searching and found https://forum.netgate.com/topic/76675/snort-search-method/2 by Bill that is admittedly from 2014 but says, "Only AC-BNFA or AC-BNFA-NQ. Never anything else, or you will potentially exhaust memory in your firewall. There have been several discussions about this over the last couple of years here on the Forum, and the consensus is AC-BNFA or AC-BNFA-NQ. I personally recommend AC-BNFA-NQ."
-
@steveits do you think they will ever be improved on in the future? Maybe improved use of multi threading, alongside something like an ARM processor specific sort methods?
-
@jonathanlee I don't know. We focus more on the blocking/functionality, as speed hasn't been a concern...at least until higher bandwidth speeds around here in the last couple years.
I've seen posts about Snort adding multithreading but IIRC that's in a version not in pfSense yet. I don't recall the details but if you search the forum for "Snort multithreading" I'd expect you'll find posts about that.
-
@steveits I love multi threading, I have been researching this with Java for some time now with the university, but it's not fully taught, so I get hints from the Professor and book recommendations, and a lot of trial and error. I have a couple binary search methods that split the lists between different threads and cores to help aid in searching. It's amazing to see it work. The concurrent threads does cause confusion, again Class CyclicBarrier helps with making the threads run exactly at the same time or use of volatile variables helps for multi objects that pass in variables in the method headers. Again that is Java not Python. Python has to have something also. Thanks for the reply.