[Snort-sigs] Rule Profiling on small pcap

Mike Cox mike.cox52 at ...2420...
Mon Nov 12 18:04:15 EST 2012


When running a small pcap thru Snort that is configured for rule
profiling, I don't see Rule Profile Statistics for rules that were
loaded but did not match (i.e. alert) on anything.  I see Rule Profile
Statistics on the rule(s) that did generate an alert.

Is this normal?

What is the criteria for rule profile stats?  Is it polling based such
that a small pcap gets processed before the polling interval is
realized unless a rule fires?

How do you do perf test on small pcaps?  (I sense a comment from Joel
coming saying testing small pcaps isn't useful....)

Thanks.

-Mike Cox




More information about the Snort-sigs mailing list