Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: no rules in perf profiling

From: Felix via Snort-users <snort-users () lists snort org>
Date: Thu, 8 Nov 2018 11:11:25 +0100
No hints?
Let me rephrase my question with a different example:
I have two sets of rules, both contain the same number of rules.
If I use Snort on the below mentioned traffic trace (at the same replay
speed) set A gives me 0% dropped packets while set B gives me 15% drops.
With set B, no rules are reported by the perf profiling.
The number of chain headers is the same with both sets.
This triggers two questions:

Why is perf profiling not reporting any rules (with set B) although
there must be some rules responsible for the significantly higher drop rate?

How can I find out which rules are eating all the performance?

thx and regards

felix

On 25/10/2018 17:17, Felix via Snort-users wrote:

Hi all,

I am trying to identify Snort rules that eat a lot of performance. I am
applying web related snort-community rules. For this I am using the
build-in perf profiling. After a test run on 6mio packets (no
alerts) the profile_rules gives me ~100 rules. I remove them and repeat
the test run. Now it says "No rules were profiled". In my understanding
of the profiler this means that none of the rules used any cpu time.
How can that be, given that HTTP inspect reports thousands of HTTP
requests and of the remaining 3,6k web based rules most contain http
related content patterns.
There are also many 'any any -> any any' headers or equivalent (given
that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has
to go down the chain options, as far as my understanding goes.

Can someone explain me why no rules are reported by the perf profiling?

Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf

thx and regards


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



-- 
Felix Erlacher

ccs-labs.org/~erlacher
Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: