Using snort version 2.8.6, I am attempting to collect application performance stats such as
- Number of packets not processed due to application overload
- Percentage of time in processing layers (preprocessor, reassembly, pattern matching, etc)
- Number of packets processed
- etc
I am currently using perfmonitor preprocessor to dump performance stats, and graphing some of these values through SNMP calls. The documentation on this preprocessor is fairly limited and doesn't do a good job of explaining what the fields actually mean, or what time frame the figures are calculated over.
To get those kinds of performance metrics, what fields should I be looking at and how are those fields measured?
Right now you have performance 'monitoring' enabled, but you want to enable performance and rule 'profiling'. A performance profile will provide stats on what preproc snort spends its time.
Add the following lines to snort:
Let snort run for a while and then when you exit you can see the output files.
For more info please see page 107 of the Snort Manual
(http://www.snort.org/assets/166/snort_manual.pdf)
Suricata is an alternative to Snort, and will actually load up the VRF and EmergingThreat rule sets. It's multithreaded and apparently a lot faster then Snort. My colleague says it has much better Debian packages then Snort does.
Here's a link to the engine statistics you can get from Suricata:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Performance_Statistics