[Snort-users] Enable perprofile

Abdullah AL-Mutairy abohabeeb1412 at ...11827...
Sun Apr 9 04:13:50 EDT 2017


thank you guys for help

i will try as you have suggested.

i appreciate your help!

On Sun, Apr 9, 2017 at 3:06 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> Also, the statements at the top of the Snort.conf are the recommended
> compile options.  They have nothing to do with the Snort.conf itself.
>
> --
> Sent from my iPhone
>
> > On Apr 8, 2017, at 19:29, "wkitty42 at ...14940..." <
> wkitty42 at ...14940...> wrote:
> >
> >> On 04/08/2017 06:23 PM, Abdullah AL-Mutairy wrote:
> >>
> >> Hello everyone!
> >>
> >> I was trying to enable performance profiling in snort 2.9.9.
> >> So i edit snort.conf and delete the "#" that comes before OPTIONS :
> --enbale-gre --enable-mpls .. etc.
> >> But when i validate the configurations i get an error.
> >
> > you don't need those for performance monitoring... maybe the one for
> > --enable-perfprofiling but those are for building snort from source so
> you need
> > to rebuild with that option in place...
> >
> >> How can i enable performance monitoring? I want to see details about cpu
> >> usage, number of signatures detected, and other details.
> >
> > you need to enable "preprocessor perfmonitor" in snort.conf... here's an
> > example... there are six lines... the first line is a description... the
> next
> > four are commented out examples... you only need one of the others to
> create the
> > csv file with the performance data in it... we use the last one here to
> get data
> > written to the csv file every 5 minutes...
> >
> > # performance statistics.  For more information, see the Snort Manual,
> > Configuring Snort - Preprocessors - Performance Monitor
> > # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
> > # preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats
> pktcnt 10000
> > # preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 10000
> > # preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1000
> > preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1
> >
> >
> > then there's these next two sections... the first for profiling rules
> and the
> > second for profiling the snort processors...
> >
> > # rules profiling
> > # print worst 25 rules based on time spent in them...
> > #config profile_rules: print all, sort total_ticks, filename
> rules_stats.log
> > config profile_rules: print 25, sort total_ticks, filename
> rules_stats.log
> >
> > # preprocessor profiling
> > # print worst 10 preprocessors based on time spent in them...
> > config profile_preprocs: print 10, sort total_ticks, filename
> preprocs_stats.log
> >
> >
> > please read my signature below and keep responses *on the list*... do
> not reply
> > to me in private... it will be ignored or followed up by support contract
> > requirements... take the free assistance from the list while it is
> available ;)
> >
> > --
> >  NOTE: No off-list assistance is given without prior approval.
> >        *Please keep mailing list traffic on the list* unless
> >        private contact is specifically requested and granted.
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list