no rules in perf profiling

[Felix via Snort-users <snort-users () lists snort org>]

Hi all,

I am trying to identify Snort rules that eat a lot of performance. I am
applying web related snort-community rules. For this I am using the
build-in perf profiling. After a test run on 6mio packets (no
alerts) the profile_rules gives me ~100 rules. I remove them and repeat
the test run. Now it says "No rules were profiled". In my understanding
of the profiler this means that none of the rules used any cpu time.
How can that be, given that HTTP inspect reports thousands of HTTP
requests and of the remaining 3,6k web based rules most contain http
related content patterns.
There are also many 'any any -> any any' headers or equivalent (given
that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has
to go down the chain options, as far as my understanding goes.

Can someone explain me why no rules are reported by the perf profiling?

Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf

thx and regards
-- 
Felix Erlacher

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette