Snort mailing list archives
Re: Rule Profiling on small pcap
From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 13 Nov 2012 08:01:02 -0600
DA., Thanks for the response and I agree with what you are saying and it is pretty much exactly what I was thinking when I wrote the email. However, I thought it odd that when I configured rule profiling to 'print all' and Snort loaded the rules (in this case a small set of two rules), the profiling output did not have the rules listed (the profiling output file said, 'No rules were profiled'. Sorry for not being clearer about this in my first email. Thanks. -Mike Cox On Mon, Nov 12, 2012 at 6:45 PM, Tony Robinson <deusexmachina667 () gmail com> wrote:
Mike, I could be quite wrong here, but as I understand it, rule profiling is only going to give you statistics for rules that actually consumed CPU cycles (ticks), and were actually checked. and then, only the worse performers out of rules checked. What determines whether or a rule is checked against and consumes CPU time would the rule trees that snort creates and whether or not snort has your particular network traffic checked against the rule tree where the rules you are looking to profile are actually loaded. Additionally, I do not believe having profile statistics are going to provide much value against a small PCAP. the idea of rule profiling statistics being that you want to get an idea as to how much CPU time a given rule or set of rules is going to consume against what is considered real world traffic for your network, and whether or not the rule is going to cause unacceptable delay in processing. and a small PCAP isn't going to give you a sufficient cross section to determine that -- at least in my very humble opinion. Sincerely, DA. On Mon, Nov 12, 2012 at 6:04 PM, Mike Cox <mike.cox52 () gmail com> wrote:When running a small pcap thru Snort that is configured for rule profiling, I don't see Rule Profile Statistics for rules that were loaded but did not match (i.e. alert) on anything. I see Rule Profile Statistics on the rule(s) that did generate an alert. Is this normal? What is the criteria for rule profile stats? Is it polling based such that a small pcap gets processed before the polling interval is realized unless a rule fires? How do you do perf test on small pcaps? (I sense a comment from Joel coming saying testing small pcaps isn't useful....) Thanks. -Mike Cox ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule Profiling on small pcap Mike Cox (Nov 12)
- Re: Rule Profiling on small pcap Tony Robinson (Nov 12)
- Re: Rule Profiling on small pcap Mike Cox (Nov 13)
- Re: Rule Profiling on small pcap Joel Esler (Nov 13)
- Re: Rule Profiling on small pcap Tony Robinson (Nov 12)