Re: Enable perprofile

["Joel Esler (jesler)" <jesler () cisco com>]

Also, the statements at the top of the Snort.conf are the recommended compile options.  They have nothing to do with 
the Snort.conf itself.   

--
Sent from my iPhone

> On Apr 8, 2017, at 19:29, "wkitty42 () windstream net" <wkitty42 () windstream net> wrote:
>
> > On 04/08/2017 06:23 PM, Abdullah AL-Mutairy wrote:
> >
> > Hello everyone!
> >
> > I was trying to enable performance profiling in snort 2.9.9.
> > So i edit snort.conf and delete the "#" that comes before OPTIONS : --enbale-gre --enable-mpls .. etc.
> > But when i validate the configurations i get an error.
>
> you don't need those for performance monitoring... maybe the one for 
> --enable-perfprofiling but those are for building snort from source so you need 
> to rebuild with that option in place...
>
> > How can i enable performance monitoring? I want to see details about cpu
> > usage, number of signatures detected, and other details.
>
> you need to enable "preprocessor perfmonitor" in snort.conf... here's an 
> example... there are six lines... the first line is a description... the next 
> four are commented out examples... you only need one of the others to create the 
> csv file with the performance data in it... we use the last one here to get data 
> written to the csv file every 5 minutes...
>
> # performance statistics.  For more information, see the Snort Manual, 
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
> # preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
> # preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 10000
> # preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1000
> preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1
>
>
> then there's these next two sections... the first for profiling rules and the 
> second for profiling the snort processors...
>
> # rules profiling
> # print worst 25 rules based on time spent in them...
> #config profile_rules: print all, sort total_ticks, filename rules_stats.log
> config profile_rules: print 25, sort total_ticks, filename rules_stats.log
>
> # preprocessor profiling
> # print worst 10 preprocessors based on time spent in them...
> config profile_preprocs: print 10, sort total_ticks, filename preprocs_stats.log
>
>
> please read my signature below and keep responses *on the list*... do not reply 
> to me in private... it will be ignored or followed up by support contract 
> requirements... take the free assistance from the list while it is available ;)
>
> -- 
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!