Snort Performance – Is your snort working fast enough?

Snort Performance Monitoring is one of the key aspect, IDS rule developers are concerned about. I mean, what’s the point of writing a tons of rule when they are going to take hours to run and alert you when deploy them on a network. This article will tell you about how to monitor your snort performance, so focus and read all of it carefully.

We have already learnt what snort is in Snort- An Open Source… and how does it work in Snort – How does it... We also discussed where can we use snort. Now it’s time, we learn something to make it work fast as making things work is not enough, working fast enough is. To check if your IDS is working well or not, it needs to get measured. To measure, we need a measurement tool, yes, a plugin which could actually give real time statistics while snort is running live or on a pcap.

There are two ways to check the performance of your Snort IDS:

  1. Perfmonitor Preprocessor – to check Snort Engine Performance
  2. Perfprofiling Preprocessor – to check Snort Rules and preprocessor performance

Perfmonitor Preprocessor 

It like any other preprocessor works after the packets are decoded but the key role played by this one is to give out the real time statistics on the performance of snort in a human readable mode. The outcome has to be either in console(STDOUT or shall i say, Terminal screen) or in a file whatever way you like. The main point here is it has got a good number of options enough to provide you in output as per your ease. Once run in default configuration, the output includes:

  • Time Stamp
  • Drop Rate
  • Mbits/Sec (wire) [duplicated below for easy comparison with other rates]
  • K-Pkts/Sec (wire) [duplicated below for easy comparison with other rates]
  • Alerts/Sec
  • Avg Bytes/Pkt (wire) [duplicated below for easy comparison with other rates]
  • Pat-Matched [percent of data received that Snort processes in pattern matching]
  • Syns/Sec
  • New Sessions Cached/Sec
  • SynAcks/Sec
  • Sessions Del fr Cache/Sec
  • Current Cached Sessions
  • Max Cached Sessions
  • Stream Flushes/Sec
  • Stream Session Cache Timeouts
  • Stream Session Cache Faults
  • New Frag Trackers/Sec
  • Frag-Completes/Sec
  • Frag-Inserts/Sec
  • Frag-Deletes/Sec
  • Frag-Auto Deletes/Sec [memory DoS protection]
  • Frag-Current [number of current Frag Trackers]
  • Frag-Max [max number of Frag Trackers at any time]
  • Frag-Timeouts
  • Frag-Flushes/Sec
  • Frag-Faults
  • Number of CPUs [*** Only if compiled with LINUX_SMP ***, the next three appear for each CPU]
  • CPU usage (user)
  • CPU usage (sys)
  • CPU usage (Idle)
  • Mbits/Sec (wire) [average mbits of total traffic]
  • Mbits/Sec (ipfrag) [average mbits of IP fragmented traffic]
  • Mbits/Sec (ipreass) [average mbits Snort injects after IP reassembly]
  • Mbits/Sec (applayer) [average mbits seen by rules and protocol decoders]
  • Avg Bytes/Pkt (wire)
  • Avg Bytes/Pkt (ipfrag)
  • Mbits/Sec (tcprebuilt) [average mbits Snort injects after TCP reassembly]
  • Avg Bytes/Pkt (ipreass)
  • Avg Bytes/Pkt (tcprebuilt)
  • Avg Bytes/Pkt (applayer)
  • K-Pkts/Sec (wire)
  • K-Pkts/Sec (ipfrag)
  • K-Pkts/Sec (ipreass)
  • K-Pkts/Sec (tcprebuilt)
  • K-Pkts/Sec (applayer)
  • Total Packets Received
  • Total Packets Dropped (not processed)
  • Total Packets Blocked (inline)
  • Attribute Table Reloads (Target Based)
  • Mbits/Sec (Snort)
  • Mbits/Sec (sniffing)
  • Mbits/Sec (combined)
  • uSeconds/Pkt (Snort)
  • uSeconds/Pkt (sniffing)
  • uSeconds/Pkt (combined)
  • KPkts/Sec (Snort)
  • KPkts/Sec (sniffing)
  • KPkts/Sec (combined)
  • Percentage of Packets Dropped
  • Total Filtered TCP Packets
  • Total Filtered UDP Packets
  • Midstream TCP Sessions/Sec
  • Closed TCP Sessions/Sec
  • Pruned TCP Sessions/Sec
  • TimedOut TCP Sessions/Sec
  • Dropped Async TCP Sessions/Sec
  • TCP Sessions Initializing
  • TCP Sessions Established
  • TCP Sessions Closing
  • Max TCP Sessions (interval)
  • New Cached UDP Sessions/Sec
  • Cached UDP Ssns Del/Sec
  • Current Cached UDP Sessions
  • Max Cached UDP Sessions
  • Current Attribute Table Hosts (Target Based)

To use perfmon, most simple configuration you can use in your snort configuration file is:

preprocessor perfmonitor: \ time 30 pktcnt 1000 flow events max base-stats flow-stats console

time: represents the time between the intervals. It means the time gap engine needs before next sampling begins.

pktcnt: represents the packet counts to be processed between the time gap or i should say in the intervals.

flow: This options if used will provide prodigious amount of statistics on network flow traffic. The details includes packets count per flow, packet lengths etc.

events: It turns on the reporting on events and statistics related to signature matching.

max: If turned on, it will tell the theoretical maximum performance calculated at real time by snort considering the processor’s speed and current performance.

console: If turned, on, brings the output of the preprocessor to the console output screen.


Enable perfprofiling

Snort can provide statistics on rules and preprocessor performance too just by enabling the perfprofiling preprocessor in your snort config file and snort will produce statistics on worst performers or all on exit. If you want the output in a file, the option is available too. Just add the file name in profile_preproc or profile_rules and snort will do the rest. One important thing to note here is the first step, i.e, building snort to use this feature by using –enable perfprofiling while running the configure script.


How to use it?

There is a defined format for it:

config profile_rules: \ print [all | <num>], \ sort <sort_option> \ [,filename <filename> [append]]

  • <num> is the number of rules to print
  • <sort_option> is one of:checks matches nomatches avg_ticks avg_ticks_per_match avg_ticks_per_nomatch total_ticks
  • <filename> is the output filename
  • [append] dictates that the output will go to the same file each time (optional)

For Example:

config profile_rules: print 4, sort total_ticks

will produce output like this:



Related Posts

Leave a Reply

Your email address will not be published.