[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] no rules in perf profiling
From: Felix via Snort-users <snort-users () lists ! snort ! org>
Date: 2018-11-08 15:45:44
Message-ID: fdacd49a-0458-7c82-37bf-a2d60569c0d7 () ccs-labs ! org
[Download RAW message or body]
Ross, your explanation helps a lot. thx!
Now I just have to get my head around the numbers in the preproc
perfmonitor ;-)
felix
On 08/11/2018 12:41, Russ via Snort-users wrote:
> Hey Felix,
>
> To answer your original question, Snort rules are only evaluated if
> there is a fast pattern match or they if they have no fast pattern
> contents. The latter yields terrible performance so good rules have a
> fast pattern if possible. If there are no fast pattern matches then no
> rules are profiled but work may still be done to search for the fast
> patterns. From your description it seems like set B is causing more
> pattern matching than set A. Two things may help determine what is
> going on:
>
> 1. config profile_preprocs should show detection effort in ticks and
> percent.
>
> 2. preprocessor perfmonitor will show the PatMatch value which is how
> much pattern matching is going on relative to bytes received.
>
> Neither of those break down by rule though because of the parallel
> nature of the search. However, you can use that data to help identify
> the expensive rules.
>
> Hope that helps.
> Russ
>
> On 11/8/18 5:11 AM, Felix via Snort-users wrote:
>> No hints?
>> Let me rephrase my question with a different example:
>> I have two sets of rules, both contain the same number of rules.
>> If I use Snort on the below mentioned traffic trace (at the same replay
>> speed) set A gives me 0% dropped packets while set B gives me 15% drops.
>> With set B, no rules are reported by the perf profiling.
>> The number of chain headers is the same with both sets.
>> This triggers two questions:
>>
>> Why is perf profiling not reporting any rules (with set B) although
>> there must be some rules responsible for the significantly higher drop rate?
>>
>> How can I find out which rules are eating all the performance?
>>
>> thx and regards
>>
>> felix
>>
>> On 25/10/2018 17:17, Felix via Snort-users wrote:
>>> Hi all,
>>>
>>> I am trying to identify Snort rules that eat a lot of performance. I am
>>> applying web related snort-community rules. For this I am using the
>>> build-in perf profiling. After a test run on 6mio packets (no
>>> alerts) the profile_rules gives me ~100 rules. I remove them and repeat
>>> the test run. Now it says "No rules were profiled". In my understanding
>>> of the profiler this means that none of the rules used any cpu time.
>>> How can that be, given that HTTP inspect reports thousands of HTTP
>>> requests and of the remaining 3,6k web based rules most contain http
>>> related content patterns.
>>> There are also many 'any any -> any any' headers or equivalent (given
>>> that HOME_NET and EXTERNAL_NET maps to any), so the detection engine has
>>> to go down the chain options, as far as my understanding goes.
>>>
>>> Can someone explain me why no rules are reported by the perf profiling?
>>>
>>> Using snort 2.9.11 on Ubuntu 16.04 and default snort.conf
>>>
>>> thx and regards
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> To unsubscribe, send an email to:
>>> snort-users-leave@lists.snort.org
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> To unsubscribe, send an email to:
>> snort-users-leave@lists.snort.org
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> To unsubscribe, send an email to:
> snort-users-leave@lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
--
Felix Erlacher
ccs-labs.org/~erlacher
Key-ID:4EAC0959
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic