Re: no rules in perf profiling

[Felix via Snort-users <snort-users () lists snort org>]

Ross, your explanation helps a lot. thx!
Now I just have to get my head around the numbers in the preproc
perfmonitor ;-)

felix

On 08/11/2018 12:41, Russ via Snort-users wrote:
> Hey Felix,
>
> To answer your original question, Snort rules are only evaluated if
> there is a fast pattern match or they if they have no fast pattern
> contents.  The latter yields terrible performance so good rules have a
> fast pattern if possible.  If there are no fast pattern matches then no
> rules are profiled but work may still be done to search for the fast
> patterns.  From your description it seems like set B is causing more
> pattern matching than set A.  Two things may help determine what is
> going on:
>
> 1. config profile_preprocs should show detection effort in ticks and
> percent.
>
> 2. preprocessor perfmonitor will show the PatMatch value which is how
> much pattern matching is going on relative to bytes received.
>
> Neither of those break down by rule though because of the parallel
> nature of the search.  However, you can use that data to help identify
> the expensive rules.
>
> Hope that helps.
> Russ
>
> On 11/8/18 5:11 AM, Felix via Snort-users wrote:
> > No hints?
> > Let me rephrase my question with a different example:
> > I have two sets of rules, both contain the same number of rules.
> > If I use Snort on the below mentioned traffic trace (at the same replay
> > speed) set A gives me 0% dropped packets while set B gives me 15% drops.
> > With set B, no rules are reported by the perf profiling.
> > The number of chain headers is the same with both sets.
> > This triggers two questions:
> >
> > Why is perf profiling not reporting any rules (with set B) although
> > there must be some rules responsible for the significantly higher drop rate?
> >
> > How can I find out which rules are eating all the performance?
> >
> > thx and regards
> >
> > felix
> >
> > On 25/10/2018 17:17, Felix via Snort-users wrote:
> > > Hi all,
> > >
> > > I am trying to identify Snort rules that eat a lot of performance. I am
> > > applying web related snort-community rules. For this I am using the
> > > build-in perf profiling. After a test run on 6mio packets (no
> > > alerts) the profile_rules gives me ~100 rules. I remove them and repeat
> > > the test run. Now it says "No rules were profiled". In my understanding
> > > of the profiler this means that none of the rules used any cpu time.
> > > How can that be, given that HTTP inspect reports thousands of HTTP
> > > requests and of the remaining 3,6k web based rules most contain http
> > > related content patterns.
> > > There are also many 'any any -> any any' headers or equivalent (given
> > > that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has
> > > to go down the chain options, as far as my understanding goes.
> > >
> > > Can someone explain me why no rules are reported by the perf profiling?
> > >
> > > Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf
> > >
> > > thx and regards
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists snort org
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.snort.org/mailman/listinfo/snort-users
> > >
> > >     To unsubscribe, send an email to:
> > >     snort-users-leave () lists snort org
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > >
> > > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> >      To unsubscribe, send an email to:
> >      snort-users-leave () lists snort org
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>       To unsubscribe, send an email to:
>       snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-- 
Felix Erlacher

ccs-labs.org/~erlacher
Key-ID:4EAC0959
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette