[Snort-sigs] [Snort-devel] Rule Profiling on small pcap

Tony Robinson deusexmachina667 at ...2420...
Mon Nov 12 19:45:34 EST 2012


I could be quite wrong here, but as I understand it, rule profiling is only
going to give you statistics for rules that actually consumed CPU cycles
(ticks), and were actually checked. and then, only the worse performers out
of rules checked. What determines whether or a rule is checked against and
consumes CPU time would the rule trees that snort creates and whether or
not snort has your particular network traffic checked against the rule tree
where the rules you are looking to profile are actually loaded.

Additionally, I do not believe having profile statistics are going to
provide much value against a small PCAP. the idea of rule profiling
statistics being that you want to get an idea as to how much CPU time a
given rule or set of rules is going to consume against what is considered
real world traffic for your network, and whether or not the rule is going
to cause unacceptable delay in processing. and a small PCAP isn't going to
give you a sufficient cross section to determine that -- at least in my
very humble opinion.



On Mon, Nov 12, 2012 at 6:04 PM, Mike Cox <mike.cox52 at ...2420...> wrote:

> When running a small pcap thru Snort that is configured for rule
> profiling, I don't see Rule Profile Statistics for rules that were
> loaded but did not match (i.e. alert) on anything.  I see Rule Profile
> Statistics on the rule(s) that did generate an alert.
> Is this normal?
> What is the criteria for rule profile stats?  Is it polling based such
> that a small pcap gets processed before the polling interval is
> realized unless a rule fires?
> How do you do perf test on small pcaps?  (I sense a comment from Joel
> coming saying testing small pcaps isn't useful....)
> Thanks.
> -Mike Cox
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!

when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121112/50beecd2/attachment.html>

More information about the Snort-sigs mailing list