[Snort-sigs] [Snort-devel] Rule Profiling on small pcap

Mike Cox mike.cox52 at ...2420...
Tue Nov 13 09:01:02 EST 2012


DA.,

Thanks for the response and I agree with what you are saying and it is
pretty much exactly what I was thinking when I wrote the email.

However, I thought it odd that when I configured rule profiling to
'print all' and Snort loaded the rules (in this case a small set of
two rules), the profiling output did not have the rules listed (the
profiling output file said, 'No rules were profiled'.

Sorry for not being clearer about this in my first email.

Thanks.

-Mike Cox

On Mon, Nov 12, 2012 at 6:45 PM, Tony Robinson
<deusexmachina667 at ...2420...> wrote:
> Mike,
>
> I could be quite wrong here, but as I understand it, rule profiling is only
> going to give you statistics for rules that actually consumed CPU cycles
> (ticks), and were actually checked. and then, only the worse performers out
> of rules checked. What determines whether or a rule is checked against and
> consumes CPU time would the rule trees that snort creates and whether or not
> snort has your particular network traffic checked against the rule tree
> where the rules you are looking to profile are actually loaded.
>
> Additionally, I do not believe having profile statistics are going to
> provide much value against a small PCAP. the idea of rule profiling
> statistics being that you want to get an idea as to how much CPU time a
> given rule or set of rules is going to consume against what is considered
> real world traffic for your network, and whether or not the rule is going to
> cause unacceptable delay in processing. and a small PCAP isn't going to give
> you a sufficient cross section to determine that -- at least in my very
> humble opinion.
>
> Sincerely,
>
> DA.
>
>
>
> On Mon, Nov 12, 2012 at 6:04 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
>>
>> When running a small pcap thru Snort that is configured for rule
>> profiling, I don't see Rule Profile Statistics for rules that were
>> loaded but did not match (i.e. alert) on anything.  I see Rule Profile
>> Statistics on the rule(s) that did generate an alert.
>>
>> Is this normal?
>>
>> What is the criteria for rule profile stats?  Is it polling based such
>> that a small pcap gets processed before the polling interval is
>> realized unless a rule fires?
>>
>> How do you do perf test on small pcaps?  (I sense a comment from Joel
>> coming saying testing small pcaps isn't useful....)
>>
>> Thanks.
>>
>> -Mike Cox
>>
>>
>> ------------------------------------------------------------------------------
>> Monitor your physical, virtual and cloud infrastructure from a single
>> web console. Get in-depth insight into apps, servers, databases, vmware,
>> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
>> Pricing starts from $795 for 25 servers or applications!
>> http://p.sf.net/sfu/zoho_dev2dev_nov
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> --
> when does reality end? when does fantasy begin?




More information about the Snort-sigs mailing list