Snort mailing list archives
Re: Performance monitoring issues
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 6 Sep 2013 08:59:21 -0400
Not sure what is causing the lines to wrap like that, but it's fairly impossible to read, if you want to attach that as a plaintext word document that would be beneficial, that says, do some rule profiling as well, that way we can see what rules are causing problems, if any. On Fri, Sep 6, 2013 at 6:45 AM, Lee Saunders <lee.saunders () zynstra com> wrote:
I've been starting performance monitoring on my setup, as there is
unexpected drops appearing at one single installation (virtualized
configuration so traffic profile pretty similar to other installation).
The bandwidth is pre-filtered so is relatively small, certainly small
enough to that drops are not currently expected. The first perculiarity
is looking at perfmon I see patmatch-percent numbers in the range 70 -
300%, very high and not what I'd expect.
Looking then at profile monitoring, I can't find much on how to read and
act on the values. I'm currently running a test for the rules profiling,
but a preprocessor profile based on total ticks sorting has raised a
couple of queries. The output of a short run is repeated below. However,
the rtn eval value, when looked at against other outputs on the web
looks very high, at 622810 ms, but not clear this represents or how to
improve it. There is also the implication from the output that this and
rule tree eval are siblings of rule eval, but the % of parent then does
not add up, with a value of around 170% - is there a known problem with
how these are reported and a red herring?
I'm at the outset of the tuning exercise, but its proving difficult to
find resources which outline how to interpret these values and how to
mitigate them. I'm assuming the top offending detect is influenced
primarily by the rule definitions hence the rules profiling I'm
currently doing, but some insight into minimizing the subtasks would be
useful, and if any of the other preprocessors can influence.
timestamp: 1378398556
Preprocessor Profile Statistics (all)
==========================================================
Num Preprocessor Layer Checks Exits Microsecs
Avg/Check Pct of Caller Pct of Total
=== ============ ===== ====== ===== =========
========= ============= ============
1 detect 0 10553 10553
873142 82.74 83.64 83.64
1 rule eval 1 10427 10427
752623 72.18 86.20 72.09
1 rule tree eval 2 21935 21935
750099 34.20 99.66 71.85
1 content 3 4836 4836
1449 0.30 0.19 0.14
2 pcre 3 19 19
1438 75.71 0.19 0.14
3 flags 3 8970 8970
656 0.07 0.09 0.06
4 byte_test 3 2929 2929
517 0.18 0.07 0.05
5 dsize_eq 3 3987 3987
402 0.10 0.05 0.04
6 flow 3 2021 2021
172 0.09 0.02 0.02
7 preproc_rule_options 3 1256 1256
88 0.07 0.01 0.01
8 uricontent 3 168 168
64 0.38 0.01 0.01
9 itype 3 318 318
40 0.13 0.01 0.00
10 flowbits 3 212 212
32 0.15 0.00 0.00
11 icode 3 285 285
14 0.05 0.00 0.00
12 file_data 3 123 123
5 0.04 0.00 0.00
13 byte_extract 3 6 6
3 0.52 0.00 0.00
14 isdataat 3 8 8
1 0.20 0.00 0.00
15 window 3 4 4
0 0.15 0.00 0.00
2 rtn eval 2 1039167 1039167
622810 0.60 82.75 59.66
2 mpse 1 10212 10212
87608 8.58 10.03 8.39
2 s5 0 9321 9321
86594 9.29 8.29 8.29
1 s5tcp 1 8062 6651
64012 7.94 73.92 6.1310
1 s5TcpState 2 6651 6651
46814 7.04 73.13 4.48
1 s5TcpData 3 1606 1606
5624 3.50 12.01 0.54
1 s5TcpPktInsert 4 1406 1406
4829 3.43 85.86 0.46
2 s5TcpFlush 3 1037 1037
2863 2.76 6.12 0.27
1 s5TcpProcessRebuilt 4 892 892
50297 56.39 1756.44 4.82
2 s5TcpBuildPacket 4 892 892
665 0.75 23.25 0.06
2 s5TcpNewSess 2 197 197
1075 5.46 1.68 0.10
3 ssl 0 2090 2090
20935 10.02 2.01 2.01
4 decode 0 9853 9853
20088 2.04 1.92 1.92
5 sensitive_data 0 162 162
14964 92.37 1.43 1.43
6 eventq 0 20562 20562
6610 0.32 0.63 0.63
7 smtp 0 3748 3748
5387 1.44 0.52 0.52
8 httpinspect 0 3782 3782
5162 1.36 0.49 0.49
9 DceRpcMain 0 2865 2865
3518 1.23 0.34 0.34
1 DceRpcSession 1 2865 2865
2745 0.96 78.01 0.26
1 DceRpcNewSession 2 2865 2865
1584 0.55 57.72 0.15
10 perfmon 0 10721 10721
3119 0.29 0.30 0.30
11 ssh 0 2433 2116
1805 0.74 0.17 0.17
12 pop 0 3707 3707
1434 0.39 0.14 0.14
13 imap 0 3707 3707
1254 0.34 0.12 0.12
14 sip 0 3692 3692
842 0.23 0.08 0.08
15 modbus 0 3707 3707
692 0.19 0.07 0.07
16 dnp3 0 1259 1259
572 0.46 0.05 0.05
17 backorifice 0 1259 1259
437 0.35 0.04 0.04
18 dns 0 820 820
164 0.20 0.02 0.02
total total 0 9835 9835 1043957
106.15 0.00 0.00
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Performance monitoring issues Lee Saunders (Sep 06)
- Re: Performance monitoring issues Joel Esler (Sep 06)
- Re: Performance monitoring issues Lee Saunders (Sep 06)
- Re: Performance monitoring issues Lee Saunders (Sep 12)
- Re: Performance monitoring issues Lee Saunders (Sep 06)
- Re: Performance monitoring issues Joel Esler (Sep 06)