On 9/15/10 11:15 AM, Török Edwin wrote:
On Wed, 15 Sep 2010 10:05:02 -0700
Dennis Peterson<denni...@inetnw.com> wrote:
On 9/15/10 7:47 AM, Tomasz Kojm wrote:
On Tue, 14 Sep 2010 09:22:48 -0700 Dennis
Peterson<denni...@inetnw.com> wrote:
Time tests of sigtool --find-sigs compared to grep. The output of
either sigtool or grep can be piped back in to sigtool
--decode-sigs:
$ time sigtool --find-sigs Sanesecurity.Spam.10995
Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
real 2m4.16s
user 1m46.65s
sys 0m2.88s
Hi David,
how many signatures are you using and which OS? On my 3-year old
Linux box the search takes 3 seconds (~965k sigs):
$ time sigtool --find-sigs Sanesecurity.Spam.10995
Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
real 0m3.076s
user 0m2.952s
sys 0m0.124s
There are 823070 signatures in the current daily.cld, main.cld, and
bytecode.cld, and 190586 signatures in the various Sane Security
files. This is a Sun Sparc box running Solaris.
How long does 'sigtool -l>/dev/null' take?
And which Sparc CPU? For comparison I tested on this one (only
main/daily/bytecode, no sanesecurity)
$ /usr/sbin/psrinfo -v -p
The physical processor has 24 virtual processors (0-23)
UltraSPARC-T2 (chipid 0, clock 1165 MHz)
$ time sigtool -l>/dev/null
real 0m16.128s
user 0m13.567s
sys 0m2.573s
I presume sigtool is single threaded so the proc count won't mean much. I have
one 500 mHz proc and sigtool -l >/dev/null takes 34 seconds.
I have a 4 core 3GHz system that does it in one second. It's not proportional -
just curious what it might be.
Which begs another question - anyone have a single command that will
generate these numbers based on signature files in the DataDictionary
directory?
sigtool -l | wc -l
Ok - I thought there might be something in the .cld headers that included sig
count but was not near a server to look. Thanks.
I just ran truss sigtool -l |wc -l and see it spends most of it's time on
writes. It does buffered reads and line writes by the gazillion. There's
probably a better way.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
