[Snort-users] Enable perprofile
wkitty42 at ...14940...
wkitty42 at ...14940...
Sat Apr 8 19:27:23 EDT 2017
On 04/08/2017 06:23 PM, Abdullah AL-Mutairy wrote:
> Hello everyone!
> I was trying to enable performance profiling in snort 2.9.9.
> So i edit snort.conf and delete the "#" that comes before OPTIONS : --enbale-gre --enable-mpls .. etc.
> But when i validate the configurations i get an error.
you don't need those for performance monitoring... maybe the one for
--enable-perfprofiling but those are for building snort from source so you need
to rebuild with that option in place...
> How can i enable performance monitoring? I want to see details about cpu
> usage, number of signatures detected, and other details.
you need to enable "preprocessor perfmonitor" in snort.conf... here's an
example... there are six lines... the first line is a description... the next
four are commented out examples... you only need one of the others to create the
csv file with the performance data in it... we use the last one here to get data
written to the csv file every 5 minutes...
# performance statistics. For more information, see the Snort Manual,
Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
# preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 10000
# preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1000
preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1
then there's these next two sections... the first for profiling rules and the
second for profiling the snort processors...
# rules profiling
# print worst 25 rules based on time spent in them...
#config profile_rules: print all, sort total_ticks, filename rules_stats.log
config profile_rules: print 25, sort total_ticks, filename rules_stats.log
# preprocessor profiling
# print worst 10 preprocessors based on time spent in them...
config profile_preprocs: print 10, sort total_ticks, filename preprocs_stats.log
please read my signature below and keep responses *on the list*... do not reply
to me in private... it will be ignored or followed up by support contract
requirements... take the free assistance from the list while it is available ;)
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users