Snort mailing list archives
Re: What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor?
From: Victor Roemer <viroemer () cisco com>
Date: Wed, 10 Jun 2015 13:33:08 -0400
Ricky,These 2 counters refer to the outermost function calls which wrap most of the rule evaluation; and indeed Snort detection.
"detect" is the outermost function call for rule evaluation; below that, "rule eval" refers to the function that performs rule tree matching- this is pretty close to "rule tree eval" but 1 level higher.
Hope that makes sense. On 6/9/15 22:23, Ricky Li wrote:
HiI try to test the performance of Snort with different rule set. So I picked two rule sets:1) Snort VRT set (https://www.snort.org/downloads/#rule-downloads)2) ET (Emerging Threat) Open rule set (http://www.emergingthreats.net/open-source/etopen-ruleset)I use the same input traffic and same configuration for the two cases, only difference is the "# site specific rules" section (rule files contained in the "rules" folder).For case 1) I used Snort VRT rules and for case 2) I used the ET Open rules. But the test result are quite different, the packets processed per second (PPS) of ET rule set is only 10% of Snort VRT rule set.The preprocessor profiling results for case 2), the ET Open rule set is like:Preprocessor Profile Statistics (worst 20) ==========================================================Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total === ============ ===== ====== ===== ========= ========= ============= ============ 1 detect 0 504840 504840 64274120 127.32 94.48 94.48 1 rule eval 1 2737825 2737825 <tel:1%C2%A0%C2%A0%C2%A0%202737825%C2%A0%C2%A0%C2%A0%202737825> 59599382 21.77 92.73 87.61 1 rule tree eval 2 3252182 3252182 59297083 18.23 99.49 87.16 1 session 3 504810 504810 432874 0.86 0.73 0.64 2 content 3 439184 439184 175567 0.40 0.30 0.26The top 3: detect, rule eval, and rule tree eval are very slow, and their percentage of total are all close to 100%!So I have some questions:1) What are the item "detect", "rule eval", "rule tree eval" exactly stand for? Is there any document introducing them? 2) Base on the profiling result above, why those three items take some much resource? How to tune/optimize it? 3) For the performance gap between Snort VRT rule set and the third-party ET Open rule set, is it because Snort has some internal optimization for Snort VRT rule set (like some rule parsing engines) inside Snort program? So it has better performance for Snort VRT rule set, compared with other third-party rules.Thank you very much for your kindly help and answers! Regards, Ricky ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor? Ricky Li (Jun 09)
- Re: What are "detect", " rule eval" stand for in the profiling result of Snort preprocessor? Victor Roemer (Jun 10)