[Snort-users] Snort 2.8.3 Performance Metrics (Avg/Match)

Todd Wease twease at ...1935...
Thu Oct 16 18:42:36 EDT 2008


Hi Geoff,

Thanks for the report.  The Avg/Match isn't correct.  We've created a
bug to address this.

Thanks again,
Todd


Geoff Whittington wrote:
> Hello,
>
> We've been giving 2.8.3 a whirl specifically to use snort's metrics.
> The following is a sample output of a single run of snort against one
> pcap and one snort signature.
>
>    Num      SID GID     Checks     Matches     Alerts         
> Microsecs  Avg/Check     Avg/Match    Avg/Nonmatch
>    ===      === ===     ======   =======    ======       =====      
> =========  ========= ============
>      1        151   1         36           36             
> 36               20254         562.6            0.2               0.0
>
>
> Since Checks=Matches=36 I would have expected Avg/Match to be 562.2,
> not 0.2. Is the documentation correct?
>
>
> Thanks,
>  - Geoff
>
> According to the URL:
> http://www.snort.org/docs/snort_htmanuals/htmanual_283/node150.html
>
> The columns represent:
>
>     * Number (rank)
>     * Sig ID
>     * Generator ID
>     * Checks (number of times rule was evaluated after fast pattern
>       match within portgroup or any-rules)
>     * Matches (number of times ALL rule options matched, will be high
>       for rules that have no options)
>     * Alerts (number of alerts generated from this rule)
>     * CPU Ticks
>     * Avg Ticks per Check
>     * Avg Ticks per Match
>     * Avg Ticks per Nonmatch
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list