Snort Performance Monitoring

monitoringsnort

Using snort version 2.8.6, I am attempting to collect application performance stats such as

Number of packets not processed due to application overload
Percentage of time in processing layers (preprocessor, reassembly, pattern matching, etc)
Number of packets processed
etc

I am currently using perfmonitor preprocessor to dump performance stats, and graphing some
of these values through SNMP calls. The documentation on this preprocessor is fairly limited
and doesn't do a good job of explaining what the fields actually mean, or what time frame the
figures are calculated over.

To get those kinds of performance metrics, what fields should I be looking at and how are those
fields measured?

Best Answer

Right now you have performance 'monitoring' enabled, but you want to enable performance and rule 'profiling'. A performance profile will provide stats on what preproc snort spends its time.

Add the following lines to snort:

config profile_rules: print 100, sort total_ticks, filename /tmp/rules_out
config profile_preprocs: print 10, sort total_ticks, filename /tmp/preproc_out

Let snort run for a while and then when you exit you can see the output files.

For more info please see page 107 of the Snort Manual
(http://www.snort.org/assets/166/snort_manual.pdf)

Related Solutions

Can Snort be installed on VPS

Snort can be pretty memory hungry, which on a VPS may be a problem. It can run alongside ossec quite nicely - the two are both included in Ossim which correlates infosecurity events from various sources.

I'd argue that it is probably overkill for a single VPS though. If you keep all your software updated against any security releases, have good configuration settings, use tripwire and monitor logs then you're doing a really good job. And if you are protecting an entire network then I'd consider running ossim on a dedicated box.

If you're using Apache then consider mod_security to help protect potentially vulnerable scripts you are hosting. And finally be proactive in the security, scanning your box for vulnerabilities with something like Nessus.

Linux – Snort monitoring of spanning interface

Depending on the configurations that shipped with your package, you may have some settings wrong. The base snort.conf file should work, however you should inspect the system config file /etc/sysconfig/snort and make sure these two options are set sanely.

INTERFACE
BPF

Also you should look at the system log, /var/log/messages by default, to see if the interface is actually entering promiscuous mode. If so, you should see something along these lines

kernel: device eth1 entered promiscuous mode

You can also get good debugging information from the perfmonitor preprocessor. You can enable it in your snort.conf with something like

preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000

This will dump a VERY large comma delineated list of performance values from the snort application. The full list of all the values dumped can be found in the manual, either shipped or at snort_manual.pdf You might be interested to look at:

Total Packets Received
Mbits/Sec (applayer)
TCP Sessions Initializing

The values from those, and possibly others, should help determine whether the application itself is even seeing the packets, let alone processing them.

Best Answer

Related Solutions

Can Snort be installed on VPS

Linux – Snort monitoring of spanning interface

Related Topic