Snort mailing list archives
no rules in perf profiling
From: Felix via Snort-users <snort-users () lists snort org>
Date: Thu, 25 Oct 2018 17:17:48 +0200
Hi all, I am trying to identify Snort rules that eat a lot of performance. I am applying web related snort-community rules. For this I am using the build-in perf profiling. After a test run on 6mio packets (no alerts) the profile_rules gives me ~100 rules. I remove them and repeat the test run. Now it says "No rules were profiled". In my understanding of the profiler this means that none of the rules used any cpu time. How can that be, given that HTTP inspect reports thousands of HTTP requests and of the remaining 3,6k web based rules most contain http related content patterns. There are also many 'any any -> any any' headers or equivalent (given that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has to go down the chain options, as far as my understanding goes. Can someone explain me why no rules are reported by the perf profiling? Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf thx and regards -- Felix Erlacher
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- no rules in perf profiling Felix via Snort-users (Oct 25)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)
- Re: no rules in perf profiling Russ via Snort-users (Nov 08)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)
- Re: no rules in perf profiling Russ via Snort-users (Nov 08)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)