[Snort-devel] New feature wanted: Rule matching stats

Martin Olsson elof at ...969...
Thu Jun 26 03:14:15 EDT 2003


When killing the snort process you get a lot of nice information. Among
other things, you can use it to finetune the configuration of snort.

In order to finetune the rules-configuration, it would be nice if snort
could dump a count of matches for each rule, just as the command 'ipfw
show' do on BSD.

...then one could easily see what rules constantly match zero packets and
what rules match _lots_ of times. The nonimportant rules could probably be
removed and maybe the highly matched rules could be placed earlier in the
rules list.

This is a simple but effective way to improve performance.


Now, the problem is that if we have 1000 rules, this will generate
lots of pages of output if every rule is to be printed with its counter
value, so it should be configurable if one want to include these stats or
not.

Maybe one could raise the level of statistics printed by sending SIGUSR2
signals to snort?
No USR2 = normal stats
one USR2 = normal + rule counters
two USR2 = normal + rule counters + a dump of the rules order.
(I don't know if it is possible to list the order of rules since they are
built in a 3D array...)
We can only _raise_ the level of statistics, but that is a minor problem.
Just restart snort to go back to the normal level (or the one stated in
snort.conf or command line)


Anyone else think this is a nice idea?

/Martin






More information about the Snort-devel mailing list