Re: Rule Profiling on small pcap

[Tony Robinson <deusexmachina667 () gmail com>]

Mike,

I could be quite wrong here, but as I understand it, rule profiling is only
going to give you statistics for rules that actually consumed CPU cycles
(ticks), and were actually checked. and then, only the worse performers out
of rules checked. What determines whether or a rule is checked against and
consumes CPU time would the rule trees that snort creates and whether or
not snort has your particular network traffic checked against the rule tree
where the rules you are looking to profile are actually loaded.

Additionally, I do not believe having profile statistics are going to
provide much value against a small PCAP. the idea of rule profiling
statistics being that you want to get an idea as to how much CPU time a
given rule or set of rules is going to consume against what is considered
real world traffic for your network, and whether or not the rule is going
to cause unacceptable delay in processing. and a small PCAP isn't going to
give you a sufficient cross section to determine that -- at least in my
very humble opinion.

Sincerely,

DA.



On Mon, Nov 12, 2012 at 6:04 PM, Mike Cox <mike.cox52 () gmail com> wrote:

> When running a small pcap thru Snort that is configured for rule
> profiling, I don't see Rule Profile Statistics for rules that were
> loaded but did not match (i.e. alert) on anything.  I see Rule Profile
> Statistics on the rule(s) that did generate an alert.
>
> Is this normal?
>
> What is the criteria for rule profile stats?  Is it polling based such
> that a small pcap gets processed before the polling interval is
> realized unless a rule fires?
>
> How do you do perf test on small pcaps?  (I sense a comment from Joel
> coming saying testing small pcaps isn't useful....)
>
> Thanks.
>
> -Mike Cox
>
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!