[Snort-users] Performance monitoring issues

Lee Saunders lee.saunders at ...16528...
Thu Sep 12 06:58:56 EDT 2013


Coming back to this I've temporarily removed all the ET blacklist rules, 
and tuned as far as I could the preprocessor configuration according to 
recommendations to reduce the pattern match values with little success.

The packet volume is low for now but will be expanded to monitoring much 
greater volumes so need to ensure it is correct now. It seems there is a 
lot of rebuilding going on but not really understanding why and how to 
reduce.

Attached is the preprocessor perfmonitor output (snort_pp_profile) - the 
s5TcpProcessRebuilt seems large, and snort_rules_profile (there are some 
high matching rules, and clearly more tuning, but does not explain the 
high pattern match as far as I can see. I've also included the output 
from perfmonitor in snort.stats, the % match is higher than seeing 
previously, normally in range 80 to 190 or so, but this had detect 
anomalies on so not sure if that would be a cause for a large increase.

Although the drops here were for the first period after snort restart, I 
see drops at random periods even with this volume of traffic when snort 
has been running for a while and as such is in a steady state, this is 
the concern leading to deeper analysis.

On 06/09/13 14:20, Lee Saunders wrote:
> Attached document for the preprocessor, this has the below and various 
> other runs included.
>
> As stated doing a performance monitoring run for specific rules and 
> will add those in due course. I have the blacklist rules activated and 
> these are swamping the results so will be removing these to test 
> impact of other rules, and then look to add these back in but running 
> as IDS so do not believe the reputation preprocessor will help from 
> what I've been reading.
>
> However, the two initial questions I have is:
>
> 1) From perfmon preprocessor output, I was seeing around 10% pattern 
> matching, but filtered out a lot of background noise (safe upload 
> packets) and now seeing patmatch_percent values routinely of well over 
> 100% (200 or 300% in some periods)> I don't understand how this is 
> possible - a little in terms of fragmentation and reconstruction from 
> other preprocessors but was not expecting values of this order - is it 
> normal, if not where should I look to mitigate.
>
> 2) As I said the rtn eval looks very high from what I've seen looking 
> around other discussions, is it something to worry about? Indeed is it 
> reporting correctly, it looks likes rule eval has two child modules 
> rule tree eval (with % of parent as 99.66% and rtn eval % of parent as 
> 82.75 which does not make a whole lot of sense as considerably > 100% 
> of caller)
>
> On 06/09/13 13:59, Joel Esler wrote:
>> Not sure what is causing the lines to wrap like that, but it's fairly
>> impossible to read, if you want to attach that as a plaintext word
>> document that would be beneficial, that says, do some rule profiling
>> as well, that way we can see what rules are causing problems, if any.
>>
>> On Fri, Sep 6, 2013 at 6:45 AM, Lee Saunders 
>> <lee.saunders at ...16528...> wrote:
>>> I've been starting performance monitoring on my setup, as there is
>>> unexpected drops appearing at one single installation (virtualized
>>> configuration so traffic profile pretty similar to other installation).
>>>
>>> The bandwidth is pre-filtered so is relatively small, certainly small
>>> enough to that drops are not currently expected. The first perculiarity
>>> is looking at perfmon I see patmatch-percent numbers in the range 70 -
>>> 300%, very high and not what I'd expect.
>>>
>>> Looking then at profile monitoring, I can't find much on how to read 
>>> and
>>> act on the values. I'm currently running a test for the rules 
>>> profiling,
>>> but a preprocessor profile based on total ticks sorting has raised a
>>> couple of queries. The output of a short run is repeated below. 
>>> However,
>>> the rtn eval value, when looked at against other outputs on the web
>>> looks very high, at 622810 ms, but not clear this represents or how to
>>> improve it. There is also the implication from the output that this and
>>> rule tree eval are siblings of rule eval, but the % of parent then does
>>> not add up, with a value of around 170% - is there a known problem with
>>> how these are reported and a red herring?
>>>
>>> I'm at the outset of the tuning exercise, but its proving difficult to
>>> find resources which outline how to interpret these values and how to
>>> mitigate them. I'm assuming the top offending detect is influenced
>>> primarily by the rule definitions hence the rules profiling I'm
>>> currently doing, but some insight into minimizing the subtasks would be
>>> useful, and if any of the other preprocessors can influence.
>>>
>>> timestamp: 1378398556
>>> Preprocessor Profile Statistics (all)
>>> ==========================================================
>>>    Num            Preprocessor Layer     Checks      Exits Microsecs
>>> Avg/Check Pct of Caller Pct of Total
>>>    ===            ============ =====     ======      ===== =========
>>> ========= ============= ============
>>>     1                   detect     0      10553 10553
>>> 873142      82.74         83.64        83.64
>>>      1               rule eval     1      10427 10427
>>> 752623      72.18         86.20        72.09
>>>       1         rule tree eval     2      21935 21935
>>> 750099      34.20         99.66        71.85
>>>        1               content     3       4836 4836
>>> 1449       0.30          0.19         0.14
>>>        2                  pcre     3         19 19
>>> 1438      75.71          0.19         0.14
>>>        3                 flags     3       8970 8970
>>> 656       0.07          0.09         0.06
>>>        4             byte_test     3       2929 2929
>>> 517       0.18          0.07         0.05
>>>        5              dsize_eq     3       3987 3987
>>> 402       0.10          0.05         0.04
>>>        6                  flow     3       2021 2021
>>> 172       0.09          0.02         0.02
>>>        7  preproc_rule_options     3       1256 1256
>>> 88       0.07          0.01         0.01
>>>        8            uricontent     3        168 168
>>> 64       0.38          0.01         0.01
>>>        9                 itype     3        318 318
>>> 40       0.13          0.01         0.00
>>>       10              flowbits     3        212 212
>>> 32       0.15          0.00         0.00
>>>       11                 icode     3        285 285
>>> 14       0.05          0.00         0.00
>>>       12             file_data     3        123 123
>>> 5       0.04          0.00         0.00
>>>       13          byte_extract     3          6 6
>>> 3       0.52          0.00         0.00
>>>       14              isdataat     3          8 8
>>> 1       0.20          0.00         0.00
>>>       15                window     3          4 4
>>> 0       0.15          0.00         0.00
>>>       2               rtn eval     2    1039167 1039167
>>> 622810       0.60         82.75        59.66
>>>      2                    mpse     1      10212 10212
>>> 87608       8.58         10.03         8.39
>>>     2                       s5     0       9321 9321
>>> 86594       9.29          8.29         8.29
>>>      1                   s5tcp     1       8062 6651
>>> 64012       7.94         73.92         6.1310
>>>       1             s5TcpState     2       6651 6651
>>> 46814       7.04         73.13         4.48
>>>        1             s5TcpData     3       1606 1606
>>> 5624       3.50         12.01         0.54
>>>         1       s5TcpPktInsert     4       1406 1406
>>> 4829       3.43         85.86         0.46
>>>        2            s5TcpFlush     3       1037 1037
>>> 2863       2.76          6.12         0.27
>>>         1  s5TcpProcessRebuilt     4        892 892
>>> 50297      56.39       1756.44         4.82
>>>         2     s5TcpBuildPacket     4        892 892
>>> 665       0.75         23.25         0.06
>>>       2           s5TcpNewSess     2        197 197
>>> 1075       5.46          1.68         0.10
>>>     3                      ssl     0       2090 2090
>>> 20935      10.02          2.01         2.01
>>>     4                   decode     0       9853 9853
>>> 20088       2.04          1.92         1.92
>>>     5           sensitive_data     0        162 162
>>> 14964      92.37          1.43         1.43
>>>     6                   eventq     0      20562 20562
>>> 6610       0.32          0.63         0.63
>>>     7                     smtp     0       3748 3748
>>> 5387       1.44          0.52         0.52
>>>     8              httpinspect     0       3782 3782
>>> 5162       1.36          0.49         0.49
>>>     9               DceRpcMain     0       2865 2865
>>> 3518       1.23          0.34         0.34
>>>      1           DceRpcSession     1       2865 2865
>>> 2745       0.96         78.01         0.26
>>>       1       DceRpcNewSession     2       2865 2865
>>> 1584       0.55         57.72         0.15
>>>    10                  perfmon     0      10721 10721
>>> 3119       0.29          0.30         0.30
>>>    11                      ssh     0       2433 2116
>>> 1805       0.74          0.17         0.17
>>>    12                      pop     0       3707 3707
>>> 1434       0.39          0.14         0.14
>>>    13                     imap     0       3707 3707
>>> 1254       0.34          0.12         0.12
>>>    14                      sip     0       3692 3692
>>> 842       0.23          0.08         0.08
>>>    15                   modbus     0       3707 3707
>>> 692       0.19          0.07         0.07
>>>    16                     dnp3     0       1259 1259
>>> 572       0.46          0.05         0.05
>>>    17              backorifice     0       1259 1259
>>> 437       0.35          0.04         0.04
>>>    18                      dns     0        820 820
>>> 164       0.20          0.02         0.02
>>>    total                 total     0       9835       9835 1043957
>>> 106.15          0.00         0.00
>>>
>>> ------------------------------------------------------------------------------ 
>>>
>>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>>> Discover the easy way to master current and previous Microsoft 
>>> technologies
>>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>>> tutorial videos with LearnDevNow. Subscribe today and save!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk 
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest 
>>> Snort news!
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130912/ae5102a8/attachment.html>
-------------- next part --------------

timestamp: 1378978044
Preprocessor Profile Statistics (all)
==========================================================
 Num            Preprocessor Layer     Checks      Exits           Microsecs  Avg/Check Pct of Caller Pct of Total
 ===            ============ =====     ======      =====           =========  ========= ============= ============
  1                   detect     0      39466      39466             1959310      49.65         73.65        73.65
   1                    mpse     1      57157      57157              721721      12.63         36.84        27.13
   2               rule eval     1      45251      45251               54952       1.21          2.80         2.07
    1         rule tree eval     2      69308      69308               47150       0.68         85.80         1.77
     1               content     3      16771      16771                6914       0.41         14.67         0.26
     2             byte_test     3      15015      15015                2601       0.17          5.52         0.10
     3              dsize_eq     3      21055      21055                1768       0.08          3.75         0.07
     4  preproc_rule_options     3      48540      48540                1181       0.02          2.51         0.04
     5                  flow     3       7910       7910                 566       0.07          1.20         0.02
     6                  pcre     3         40         40                 544      13.62          1.16         0.02
     7            uricontent     3        658        658                 262       0.40          0.56         0.01
     8              flowbits     3       1191       1191                 213       0.18          0.45         0.01
     9                 itype     3        957        957                  95       0.10          0.20         0.00
    10                 icode     3        794        794                  52       0.07          0.11         0.00
    11             file_data     3        557        557                  32       0.06          0.07         0.00
    12              isdataat     3         64         64                  12       0.20          0.03         0.00
    13          byte_extract     3         21         21                  10       0.48          0.02         0.00
    14                 flags     3         84         84                   6       0.08          0.01         0.00
    15                window     3         42         42                   4       0.10          0.01         0.00
    2               rtn eval     2        323        323                 447       1.39          0.81         0.02
  2                       s5     0      34539      34539             1932002      55.94         72.62        72.62
   1                   s5tcp     1      26637      26302             1871077      70.24         96.85        70.33
    1             s5TcpState     2      26297      26297             1827273      69.49         97.66        68.69
     1             s5TcpData     3      13878      13878               23280       1.68          1.27         0.88
      1       s5TcpPktInsert     4      12662      12662               19439       1.54         83.50         0.73
     2            s5TcpFlush     3       4130       4130               10189       2.47          0.56         0.38
      1  s5TcpProcessRebuilt     4       3878       3878             1800661     464.33      17671.44        67.69
      2     s5TcpBuildPacket     4       3880       3880                3222       0.83         31.63         0.12
    2           s5TcpNewSess     2        588        588                3085       5.25          0.16         0.12
  3           sensitive_data     0       4184       4184             1271234     303.83         47.78        47.78
  4                     smtp     0      17846      17846              226146      12.67          8.50         8.50
  5                   decode     0      36729      36729               60572       1.65          2.28         2.28
  6                  perfmon     0      40505      40505               40903       1.01          1.54         1.54
  7                      ssl     0       5018       5018               38160       7.60          1.43         1.43
  8                   eventq     0      77212      77212               22127       0.29          0.83         0.83
  9               DceRpcMain     0      20464      20464               16259       0.79          0.61         0.61
   1           DceRpcSession     1      20464      20464               12330       0.60         75.84         0.46
    1       DceRpcNewSession     2      20464      20464                7433       0.36         60.28         0.28
 10              httpinspect     0      17997      17997               13172       0.73          0.50         0.50
 11                      ssh     0       3445       2311                3230       0.94          0.12         0.12
 12                      dns     0       4220       4220                 670       0.16          0.03         0.03
 total                 total     0      36667      36667             2660335      72.55          0.00         0.00
-------------- next part --------------

timestamp: 1378978044
Rule Profile Statistics (worst 2000 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts           Microsecs  Avg/Check  Avg/Match Avg/Nonmatch   Disabled
   ===      === === ===     ======   =======    ======           =========  =========  ========= ============   ========
     1  2003286   1   7       5658         0         0                8359        1.5        0.0          1.5          0
     2  2003287   1   6       5658         0         0                8359        1.5        0.0          1.5          0
     3  2013739   1   8       7902         0         0                2453        0.3        0.0          0.3          0
     4  2014702   1   6       2111         0         0                2377        1.1        0.0          1.1          0
     5  2014701   1   7       2111         0         0                1783        0.8        0.0          0.8          0
     6  2010100   1   7       5455         0         0                1776        0.3        0.0          0.3          0
     7        5 138   1      12126         0         0                1256        0.1        0.0          0.1          0
     8  2009702   1   5       2111         0         0                 913        0.4        0.0          0.4          0
     9        2 138   1      12126         0         0                 845        0.1        0.0          0.1          0
    10        3 138   1      12126         0         0                 812        0.1        0.0          0.1          0
    11  2008058   1   6        871         0         0                 770        0.9        0.0          0.9          0
    12  2011296   1   2       1928         0         0                 647        0.3        0.0          0.3          0
    13        6 138   1      12126         0         0                 581        0.0        0.0          0.0          0
    14  2014828   1   2         94         0         0                 542        5.8        0.0          5.8          0
    15  2011295   1   7       1472         0         0                 531        0.4        0.0          0.4          0
    16  2102697   1   3         54         0         0                 522        9.7        0.0          9.7          0
    17  2010101   1   6       1384         0         0                 502        0.4        0.0          0.4          0
    18  2100366   1   8        163        77        77                 485        3.0        5.7          0.5          0
    19  2012932   1   6        129         0         0                 378        2.9        0.0          2.9          0
    20      463   1  12        794         0         0                 376        0.5        0.0          0.5          0
    21     7041   1  11       1875         0         0                 373        0.2        0.0          0.2          0
    22    14651   1   8       1875         0         0                 373        0.2        0.0          0.2          0
    23    14652   1   8       1875         0         0                 373        0.2        0.0          0.2          0
    24  2014703   1   5       2111         0         0                 367        0.2        0.0          0.2          0
    25  2100474   1   5        630         0         0                 335        0.5        0.0          0.5          0
    26  2012236   1   1       1034         0         0                 328        0.3        0.0          0.3          0
    27    23680   1   3         34         0         0                 298        8.8        0.0          8.8          0
    28    24892   1   1        542         0         0                 294        0.5        0.0          0.5          0
    29  2101201   1   9        798         0         0                 291        0.4        0.0          0.4          0
    30    17332   1   7         46         0         0                 265        5.8        0.0          5.8          0
    31  2011034   1   4        903         0         0                 241        0.3        0.0          0.3          0
    32  2102056   1   6        903         0         0                 241        0.3        0.0          0.3          0
    33100000197   1   2        794         0         0                 238        0.3        0.0          0.3          0
    34  2101603   1  14        903         0         0                 236        0.3        0.0          0.3          0
    35  2011032   1   4        903         0         0                 231        0.3        0.0          0.3          0
    36  2011033   1   7        903         0         0                 229        0.3        0.0          0.3          0
    37  2009219   1   3        274         0         0                 221        0.8        0.0          0.8          0
    38  2103196   1   3        110         0         0                 215        2.0        0.0          2.0          0
    39  2010941   1   1        124         0         0                 202        1.6        0.0          1.6          0
    40  2000328   1  12         42         0         0                 193        4.6        0.0          3.1          0
    41  2007703   1   8        317         0         0                 188        0.6        0.0          0.6          0
    42  2011031   1   6        173         0         0                 186        1.1        0.0          1.1          0
    43  2002087   1  10         42        30         0                 177        4.2        3.8          5.2          0
    44  2010497   1   8         23         0         0                 175        7.6        0.0          7.6          0
    45  2012809   1   2         96         0         0                 172        1.8        0.0          1.8          0
    46  2012445   1   5         23         0         0                 160        7.0        0.0          7.0          0
    47    21729   1   2         70         0         0                 147        2.1        0.0          2.1          0
    48    21873   1   2         92         0         0                 133        1.5        0.0          1.5          0
    49  2003195   1   5         92         0         0                 130        1.4        0.0          1.4          0
    50    24102   1   2         42         0         0                 124        3.0        0.0          3.0          0
    51    23679   1   4        206         0         0                 121        0.6        0.0          0.6          0
    52  2100467   1   4        630         0         0                 105        0.2        0.0          0.2          0
    53  2011124   1  14         22         0         0                  99        4.5        0.0          4.5          0
    54  2008411   1   5         23         0         0                  99        4.3        0.0          4.3          0
    55  2011979   1   1         29         0         0                  98        3.4        0.0          3.4          0
    56  2012444   1   2         23         0         0                  95        4.1        0.0          4.1          0
    57  2012632   1   3         29         0         0                  91        3.2        0.0          3.2          0
    58    20957   1   7         71         0         0                  83        1.2        0.0          1.2          0
    59  2012612   1   9        161         0         0                  82        0.5        0.0          0.5          0
    60  2002823   1   6         24         0         0                  81        3.4        0.0          3.4          0
    61  2013382   1   2        161         0         0                  80        0.5        0.0          0.5          0
    62  2100654   1  15         87         0         0                  79        0.9        0.0          0.9          0
    63  2001263   1   5         47         0         0                  79        1.7        0.0          1.7          0
    64    15514   1   3        184         0         0                  75        0.4        0.0          0.4          0
    65  2012493   1   2         23         0         0                  75        3.3        0.0          3.3          0
    66  2012384   1   3        161         0         0                  74        0.5        0.0          0.5          0
    67  2010140   1   5         80         0         0                  70        0.9        0.0          0.9          0
    68  2001219   1  18         84        12         0                  69        0.8        4.6          0.2          0
    69    17548   1  10        136         0         0                  67        0.5        0.0          0.5          0
    70    23128   1   3         25         0         0                  62        2.5        0.0          2.5          0
    71  2012645   1   4         72         0         0                  58        0.8        0.0          0.8          0
    72  2003068   1   6         84        12         0                  52        0.6        3.2          0.2          0
    73  2013075   1   7         24         0         0                  52        2.2        0.0          2.2          0
    74  2008021   1   3        129         0         0                  49        0.4        0.0          0.4          0
    75    21994   1   2         25         0         0                  47        1.9        0.0          1.9          0
    76  2008270   1   3         63         0         0                  46        0.7        0.0          0.7          0
    77  2001795   1   9         42         0         0                  44        1.1        0.0          1.1          0
    78  2102091   1  10         48         0         0                  39        0.8        0.0          0.8          0
    79  2015852   1   2         87         0         0                  39        0.5        0.0          0.5          0
    80  2102563   1   6         84         0         0                  35        0.4        0.0          0.4          0
    81    21613   1   2         25         0         0                  35        1.4        0.0          1.4          0
    82    24464   1   1          4         0         0                  33        8.5        0.0          8.5          0
    83    23745   1   4         17         0         0                  33        2.0        0.0          2.0          0
    84    19911   1   7         88         0         0                  29        0.3        0.0          0.3          0
    85  2012064   1   3         46         0         0                  29        0.6        0.0          0.6          0
    86  2003320   1   3         20         0         0                  29        1.5        0.0          1.5          0
    87    21614   1   3         16         0         0                  25        1.6        0.0          1.6          0
    88  2002927   1   7         56         0         0                  24        0.4        0.0          0.4          0
    89    23667   1   4          5         1         0                  24        4.8        9.2          3.8          0
    90  2102698   1   3          2         0         0                  23       12.0        0.0         12.0          0
    91  2014272   1   1         69         0         0                  22        0.3        0.0          0.3          0
    92    23648   1   4         42         0         0                  22        0.5        0.0          0.5          0
    93  2008520   1   4         41         0         0                  22        0.6        0.0          0.6          0
    94  2011015   1   4         41         0         0                  22        0.5        0.0          0.5          0
    95    16008   1  11         12         0         0                  21        1.8        0.0          1.8          0
    96    18267   1   5         15         0         0                  20        1.4        0.0          1.4          0
    97    15512   1   7         15         0         0                  20        1.4        0.0          1.4          0
    98    24186   1   1         29         0         0                  19        0.7        0.0          0.7          0
    99  2003310   1   3          8         0         0                  19        2.4        0.0          2.4          0
   100  2008782   1   3          6         0         0                  18        3.0        0.0          3.0          0
   101  2013935   1   2         18         0         0                  17        1.0        0.0          1.0          0
   102    23685   1   3         31         0         0                  17        0.6        0.0          0.6          0
   103  2012934   1   3          6         0         0                  12        2.1        0.0          2.1          0
   104  2012115   1   5          4         0         0                  11        3.0        0.0          3.0          0
   105  2003309   1   4          8         0         0                  11        1.5        0.0          1.5          0
   106  2008034   1   3         23         0         0                  11        0.5        0.0          0.5          0
   107  2007917   1   2         17         0         0                  11        0.7        0.0          0.7          0
   108  2007660   1   8          6         0         0                  11        1.8        0.0          1.8          0
   109    23742   1   3         18         0         0                  10        0.6        0.0          0.6          0
   110  2003317   1   3          7         0         0                  10        1.4        0.0          1.4          0
   111  2013355   1   3          6         0         0                  10        1.7        0.0          1.7          0
   112    23758   1   2          9         0         0                   9        1.1        0.0          1.1          0
   113  2010597   1   3          6         0         0                   9        1.6        0.0          1.6          0
   114  2003319   1   3          5         0         0                   9        2.0        0.0          2.0          0
   115    23836   1   3         48         0         0                   9        0.2        0.0          0.2          0
   116    23153   1   2         48         0         0                   9        0.2        0.0          0.2          0
   117    23154   1   2         48         0         0                   9        0.2        0.0          0.2          0
   118    21999   1   4         48         0         0                   9        0.2        0.0          0.2          0
   119    23152   1   2         48         0         0                   9        0.2        0.0          0.2          0
   120    23155   1   2         48         0         0                   9        0.2        0.0          0.2          0
   121  2007601   1   5          6         0         0                   9        1.5        0.0          1.5          0
   122  2009966   1   3         20         0         0                   8        0.4        0.0          0.4          0
   123  2007859   1   6          6         0         0                   8        1.4        0.0          1.4          0
   124  2009212   1   3          6         0         0                   8        1.4        0.0          1.4          0
   125    23515   1   2         25         0         0                   8        0.3        0.0          0.3          0
   126    17731   1   5          1         0         0                   8        8.0        0.0          8.0          0
   127  2101616   1   9          2         0         0                   8        4.0        0.0          4.0          0
   128    23740   1   3          8         0         0                   7        1.0        0.0          1.0          0
   129    21235   1   2         48         0         0                   7        0.2        0.0          0.2          0
   130  2011393   1   2          6         0         0                   7        1.3        0.0          1.3          0
   131  2009969   1   4         15         0         0                   7        0.5        0.0          0.5          0
   132    24553   1   1         10         0         0                   7        0.7        0.0          0.7          0
   133  2010488   1   2         20         0         0                   7        0.4        0.0          0.4          0
   134  2010486   1   2         20         0         0                   7        0.4        0.0          0.4          0
   135  2007602   1   7          6         0         0                   6        1.1        0.0          1.1          0
   136    23684   1   3          8         0         0                   6        0.8        0.0          0.8          0
   137    23729   1   3         10         0         0                   6        0.7        0.0          0.7          0
   138     9027   1  12         15         0         0                   6        0.4        0.0          0.4          0
   139    15860   1   7         15         0         0                   6        0.4        0.0          0.4          0
   140    15015   1  11         15         0         0                   6        0.4        0.0          0.4          0
   141    12489   1   8         15         0         0                   6        0.4        0.0          0.4          0
   142     4245   1  12         15         0         0                   6        0.4        0.0          0.4          0
   143     6455   1  10         15         0         0                   6        0.4        0.0          0.4          0
   144     6431   1  10         15         0         0                   6        0.4        0.0          0.4          0
   145     6419   1  10         15         0         0                   6        0.4        0.0          0.4          0
   146     6443   1  10         15         0         0                   6        0.4        0.0          0.4          0
   147    14737   1   9         15         0         0                   6        0.4        0.0          0.4          0
   148     2508   1  17         15         0         0                   6        0.4        0.0          0.4          0
   149     7209   1  15         15         0         0                   6        0.4        0.0          0.4          0
   150    14782   1  15         15         0         0                   6        0.4        0.0          0.4          0
   151     3409   1  14         15         0         0                   6        0.4        0.0          0.4          0
   152     9769   1  10         15         0         0                   6        0.4        0.0          0.4          0
   153  2003323   1   4          2         0         0                   6        3.0        0.0          3.0          0
   154    18526   1   2         12         0         0                   5        0.5        0.0          0.5          0
   155     4754   1  10         15         0         0                   5        0.4        0.0          0.4          0
   156  2003315   1   3          9         0         0                   5        0.6        0.0          0.6          0
   157  2015793   1   1          5         0         0                   5        1.1        0.0          1.1          0
   158    21244   1   7          6         0         0                   5        0.9        0.0          0.9          0
   159    23744   1   3         10         0         0                   5        0.5        0.0          0.5          0
   160  2003311   1   3         11         0         0                   4        0.4        0.0          0.4          0
   161  2000348   1  12         12         0         0                   4        0.4        0.0          0.4          0
   162  2003313   1   3          7         0         0                   4        0.6        0.0          0.6          0
   163  2013793   1   1          2         0         0                   4        2.0        0.0          2.0          0
   164    23701   1   4          8         0         0                   4        0.5        0.0          0.5          0
   165  2009098   1   3          7         0         0                   4        0.6        0.0          0.6          0
   166  2009967   1   4          7         0         0                   3        0.5        0.0          0.5          0
   167  2011747   1   3          3         0         0                   3        1.2        0.0          1.2          0
   168  2009972   1   4          6         0         0                   3        0.6        0.0          0.6          0
   169    24535   1   1          3         0         0                   3        1.1        0.0          1.1          0
   170  2009970   1   4          5         0         0                   3        0.6        0.0          0.6          0
   171  2014957   1   1          2         0         0                   2        1.2        0.0          1.2          0
   172    23666   1   4          1         0         0                   2        2.3        0.0          2.3          0
   173  2007920   1   3         12         0         0                   2        0.2        0.0          0.2          0
   174  2002926   1   7          5         0         0                   2        0.5        0.0          0.5          0
   175    23683   1   3          2         0         0                   2        1.1        0.0          1.1          0
   176  2011588   1  17          2         0         0                   2        1.0        0.0          1.0          0
   177  2008027   1   3         10         0         0                   2        0.2        0.0          0.2          0
   178  2003312   1   3          6         0         0                   2        0.3        0.0          0.3          0
   179    23709   1   4          1         0         0                   1        1.9        0.0          1.9          0
   180  2003316   1   3          6         0         0                   1        0.3        0.0          0.3          0
   181  2003318   1   3          4         0         0                   1        0.5        0.0          0.5          0
   182  2008124   1   5          2         0         0                   1        1.0        0.0          1.0          0
   183  2003308   1   4          4         0         0                   1        0.5        0.0          0.5          0
   184  2008029   1   3          4         0         0                   1        0.4        0.0          0.4          0
   185    23536   1   2          1         0         0                   1        1.4        0.0          1.4          0
   186  2000345   1  15          2         0         0                   1        0.6        0.0          0.6          0
   187  2014600   1   5          4         0         0                   0        0.2        0.0          0.2          0
   188  2012327   1   3          1         0         0                   0        0.8        0.0          0.8          0
   189  2009099   1   3          1         0         0                   0        0.7        0.0          0.7          0
   190  2102123   1   7          4         0         0                   0        0.2        0.0          0.2          0
   191  2008953   1   9          4         0         0                   0        0.2        0.0          0.2          0
   192  2014956   1   1          1         0         0                   0        0.5        0.0          0.5          0
   193  2014958   1   1          1         0         0                   0        0.5        0.0          0.5          0
   194  2013794   1   1          1         0         0                   0        0.2        0.0          0.2          0
-------------- next part --------------
################################### Perfmon start: pid=7325 at=Thu Sep 12 09:27:52 2013 (1378974472) ###################################
#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,new_sessions_per_second,deleted_sessions_per_second,total_sessions,max_sessions,stream_flushes_per_second,stream_faults,stream_timeouts,frag_creates_per_second,frag_completes_per_second,frag_inserts_per_second,frag_deletes_per_second,frag_autofrees_per_second,frag_flushes_per_second,current_frags,max_frags,frag_timeouts,frag_faults,iCPUs,usr[0],sys[0],idle[0],wire_mbits_per_sec.realtime,ipfrag_mbits_per_sec.realtime,ipreass_mbits_per_sec.realtime,rebuilt_mbits_per_sec.realtime,mbits_per_sec.realtime,avg_bytes_per_wire_packet,avg_bytes_per_ipfrag_packet,avg_bytes_per_ipreass_packet,avg_bytes_per_rebuilt_packet,avg_bytes_per_packet,kpackets_wire_per_sec.realtime,kpackets_ipfrag_per_sec.realtime,kpackets_ipreass_per_sec.realtime,kpackets_rebuilt_per_sec.realtime,kpackets_per_sec.realtime,pkt_stats.pkts_recv,pkt_stats.pkts_drop,total_blocked_packets,new_udp_sessions_per_second,deleted_udp_sessions_per_second,total_udp_sessions,max_udp_sessions,max_tcp_sessions_interval,curr_tcp_sessions_initializing,curr_tcp_sessions_established,curr_tcp_sessions_closing,tcp_sessions_midstream_per_second,tcp_sessions_closed_per_second,tcp_sessions_timedout_per_second,tcp_sessions_pruned_per_second,tcp_sessions_dropped_async_per_second,current_attribute_hosts,attribute_table_reloads,mpls_mbits_per_sec.realtime,avg_bytes_per_mpls_packet,kpackets_per_sec_mpls.realtime,total_tcp_filtered_packets,total_udp_filtered_packets,ip4::trim,ip4::tos,ip4::df,ip4::rf,ip4::ttl,ip4::opts,icmp4::echo,ip6::ttl,ip6::opts,icmp6::echo,tcp::syn_opt,tcp::opt,tcp::pad,tcp::rsv,tcp::ns,tcp::urg,tcp::urp,tcp::trim,tcp::ecn_pkt,tcp::ecn_ssn,tcp::ts_ecr,tcp::ts_nop,tcp::ips_data,tcp::block,total_injected_packets,frag3_mem_in_use,stream5_mem_in_use
1378975241,15.037,0.137,0.047,0.018,950,491.791,0.161,0.147,0.158,0.028,101,101,2.420,0,318,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,1,0.243,0.004,99.752,0.137,0.000,0.000,0.123,0.260,950,0,0,6356,1588,0.018,0.000,0.000,0.002,0.020,14103,2496,0,0.569,0.402,130,154,101,14,27,60,0.001,0.026,0.407,0.000,0.000,0,0,0.000,0,0.000,0,76,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32070,
1378976093,0.000,0.014,0.033,0.007,266,327.233,0.175,0.158,0.170,0.022,227,227,0.523,0,589,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,1,0.047,0.000,99.953,0.014,0.000,0.000,0.008,0.021,266,0,0,1814,381,0.007,0.000,0.000,0.001,0.007,5551,0,0,0.846,0.686,266,276,227,31,48,148,0.000,0.020,0.691,0.000,0.000,0,0,0.000,0,0.000,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,62620,
1378976842,0.000,0.038,0.048,0.010,480,82.126,0.196,0.179,0.186,0.025,347,347,0.859,0,638,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,1,0.043,0.000,99.957,0.038,0.000,0.000,0.006,0.044,480,0,0,889,513,0.010,0.000,0.000,0.001,0.011,7370,0,0,0.578,0.851,62,297,347,41,83,223,0.000,0.025,0.852,0.000,0.000,0,0,0.000,0,0.000,0,36,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,116006,
1378977598,0.000,0.007,0.034,0.005,175,204.411,0.157,0.140,0.152,0.020,447,447,0.508,0,282,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,1,0.026,0.002,99.971,0.007,0.000,0.000,0.003,0.009,175,0,0,655,221,0.005,0.000,0.000,0.001,0.005,3633,0,0,0.360,0.368,56,297,447,56,102,289,0.000,0.017,0.373,0.000,0.000,0,0,0.000,0,0.000,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,141709,
################################### Perfmon stop: pid=7325 at=Thu Sep 12 10:27:23 2013 (1378978043) ###################################
################################### Perfmon start: pid=11406 at=Thu Sep 12 10:29:01 2013 (1378978141) ###################################
#time,pkt_drop_percent,wire_mbits_per_sec.realtime,alerts_per_second,kpackets_wire_per_sec.realtime,avg_bytes_per_wire_packet,patmatch_percent,syns_per_second,synacks_per_second,new_sessions_per_second,deleted_sessions_per_second,total_sessions,max_sessions,stream_flushes_per_second,stream_faults,stream_timeouts,frag_creates_per_second,frag_completes_per_second,frag_inserts_per_second,frag_deletes_per_second,frag_autofrees_per_second,frag_flushes_per_second,current_frags,max_frags,frag_timeouts,frag_faults,iCPUs,usr[0],sys[0],idle[0],wire_mbits_per_sec.realtime,ipfrag_mbits_per_sec.realtime,ipreass_mbits_per_sec.realtime,rebuilt_mbits_per_sec.realtime,mbits_per_sec.realtime,avg_bytes_per_wire_packet,avg_bytes_per_ipfrag_packet,avg_bytes_per_ipreass_packet,avg_bytes_per_rebuilt_packet,avg_bytes_per_packet,kpackets_wire_per_sec.realtime,kpackets_ipfrag_per_sec.realtime,kpackets_ipreass_per_sec.realtime,kpackets_rebuilt_per_sec.realtime,kpackets_per_sec.realtime,pkt_stats.pkts_recv,pkt_stats.pkts_drop,total_blocked_packets,new_udp_sessions_per_second,deleted_udp_sessions_per_second,total_udp_sessions,max_udp_sessions,max_tcp_sessions_interval,curr_tcp_sessions_initializing,curr_tcp_sessions_established,curr_tcp_sessions_closing,tcp_sessions_midstream_per_second,tcp_sessions_closed_per_second,tcp_sessions_timedout_per_second,tcp_sessions_pruned_per_second,tcp_sessions_dropped_async_per_second,current_attribute_hosts,attribute_table_reloads,mpls_mbits_per_sec.realtime,avg_bytes_per_mpls_packet,kpackets_per_sec_mpls.realtime,total_tcp_filtered_packets,total_udp_filtered_packets,ip4::trim,ip4::tos,ip4::df,ip4::rf,ip4::ttl,ip4::opts,icmp4::echo,ip6::ttl,ip6::opts,icmp6::echo,tcp::syn_opt,tcp::opt,tcp::pad,tcp::rsv,tcp::ns,tcp::urg,tcp::urp,tcp::trim,tcp::ecn_pkt,tcp::ecn_ssn,tcp::ts_ecr,tcp::ts_nop,tcp::ips_data,tcp::block,total_injected_packets,frag3_mem_in_use,stream5_mem_in_use


More information about the Snort-users mailing list