Snort mailing list archives
Re: no rules in perf profiling
From: Felix via Snort-users <snort-users () lists snort org>
Date: Thu, 8 Nov 2018 11:11:25 +0100
No hints? Let me rephrase my question with a different example: I have two sets of rules, both contain the same number of rules. If I use Snort on the below mentioned traffic trace (at the same replay speed) set A gives me 0% dropped packets while set B gives me 15% drops. With set B, no rules are reported by the perf profiling. The number of chain headers is the same with both sets. This triggers two questions: Why is perf profiling not reporting any rules (with set B) although there must be some rules responsible for the significantly higher drop rate? How can I find out which rules are eating all the performance? thx and regards felix On 25/10/2018 17:17, Felix via Snort-users wrote:
Hi all, I am trying to identify Snort rules that eat a lot of performance. I am applying web related snort-community rules. For this I am using the build-in perf profiling. After a test run on 6mio packets (no alerts) the profile_rules gives me ~100 rules. I remove them and repeat the test run. Now it says "No rules were profiled". In my understanding of the profiler this means that none of the rules used any cpu time. How can that be, given that HTTP inspect reports thousands of HTTP requests and of the remaining 3,6k web based rules most contain http related content patterns. There are also many 'any any -> any any' headers or equivalent (given that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has to go down the chain options, as far as my understanding goes. Can someone explain me why no rules are reported by the perf profiling? Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf thx and regards _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-- Felix Erlacher ccs-labs.org/~erlacher Key-ID:4EAC0959
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- no rules in perf profiling Felix via Snort-users (Oct 25)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)
- Re: no rules in perf profiling Russ via Snort-users (Nov 08)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)
- Re: no rules in perf profiling Russ via Snort-users (Nov 08)
- Re: no rules in perf profiling Felix via Snort-users (Nov 08)