Re: Enable perprofile

[wkitty42 () windstream net]

On 04/08/2017 06:23 PM, Abdullah AL-Mutairy wrote:
> Hello everyone!
>
> I was trying to enable performance profiling in snort 2.9.9.
> So i edit snort.conf and delete the "#" that comes before OPTIONS : --enbale-gre --enable-mpls .. etc.
> But when i validate the configurations i get an error.

you don't need those for performance monitoring... maybe the one for 
--enable-perfprofiling but those are for building snort from source so you need 
to rebuild with that option in place...

> How can i enable performance monitoring? I want to see details about cpu
> usage, number of signatures detected, and other details.

you need to enable "preprocessor perfmonitor" in snort.conf... here's an 
example... there are six lines... the first line is a description... the next 
four are commented out examples... you only need one of the others to create the 
csv file with the performance data in it... we use the last one here to get data 
written to the csv file every 5 minutes...

# performance statistics.  For more information, see the Snort Manual, 
Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
# preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 10000
# preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1000
preprocessor perfmonitor: time 300 snortfile snort.csv pktcnt 1


then there's these next two sections... the first for profiling rules and the 
second for profiling the snort processors...

# rules profiling
# print worst 25 rules based on time spent in them...
#config profile_rules: print all, sort total_ticks, filename rules_stats.log
config profile_rules: print 25, sort total_ticks, filename rules_stats.log

# preprocessor profiling
# print worst 10 preprocessors based on time spent in them...
config profile_preprocs: print 10, sort total_ticks, filename preprocs_stats.log


please read my signature below and keep responses *on the list*... do not reply 
to me in private... it will be ignored or followed up by support contract 
requirements... take the free assistance from the list while it is available ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!