[Snort-devel] New feature wanted: Rule matching stats

From: Martin Olsson <elof(at)sentor.se>
Date: Thu Jun 26 2003 - 06:13:18 EDT

When killing the snort process you get a lot of nice information. Among other things, you can use it to finetune the configuration of snort.

In order to finetune the rules-configuration, it would be nice if snort could dump a count of matches for each rule, just as the command 'ipfw show' do on BSD.

...then one could easily see what rules constantly match zero packets and what rules match _lots_ of times. The nonimportant rules could probably be removed and maybe the highly matched rules could be placed earlier in the rules list.

This is a simple but effective way to improve performance.

Now, the problem is that if we have 1000 rules, this will generate lots of pages of output if every rule is to be printed with its counter value, so it should be configurable if one want to include these stats or not.

Maybe one could raise the level of statistics printed by sending SIGUSR2 signals to snort?
No USR2 = normal stats
one USR2 = normal + rule counters
two USR2 = normal + rule counters + a dump of the rules order. (I don't know if it is possible to list the order of rules since they are built in a 3D array...)
We can only _raise_ the level of statistics, but that is a minor problem. Just restart snort to go back to the normal level (or the one stated in snort.conf or command line)

Anyone else think this is a nice idea?

/Martin

---

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Jun 26 06:29:59 2003