Snort Performance Monitoring

Question

Using snort version 2.8.6, I am attempting to collect application performance stats such as

• Number of packets not processed due to application overload
• Percentage of time in processing layers (preprocessor, reassembly, pattern matching, etc)
• Number of packets processed
• etc

I am currently using perfmonitor preprocessor to dump performance stats, and graphing some of these values through SNMP calls. The documentation on this preprocessor is fairly limited and doesn't do a good job of explaining what the fields actually mean, or what time frame the figures are calculated over.

To get those kinds of performance metrics, what fields should I be looking at and how are those fields measured?

Answer 1

Right now you have performance 'monitoring' enabled, but you want to enable performance and rule 'profiling'. A performance profile will provide stats on what preproc snort spends its time.

Add the following lines to snort:

config profile_rules: print 100, sort total_ticks, filename /tmp/rules_out
config profile_preprocs: print 10, sort total_ticks, filename /tmp/preproc_out

Let snort run for a while and then when you exit you can see the output files.

For more info please see page 107 of the Snort Manual
(http://www.snort.org/assets/166/snort_manual.pdf)

Answer 2

Suricata is an alternative to Snort, and will actually load up the VRF and EmergingThreat rule sets. It's multithreaded and apparently a lot faster then Snort. My colleague says it has much better Debian packages then Snort does.

Here's a link to the engine statistics you can get from Suricata:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Performance_Statistics

There are 2 basic components to Performance Statistics. First, the module actually counts items, such as a stream module counting new streams/sec. Second, is a module that collects all these stats and makes them available to the admin somehow (a log, snmp msg, etc).