Performance Monitor

This preprocessor measures Snort's real-time and theoretical maximum performance. Whenever this preprocessor is turned on, it should have an output mode enabled, either ``console'' which prints statistics to the console window or ``file'' with a file name, where statistics get printed to the specified file name. By default, Snort's real-time statistics are processed. This includes:

• Time Stamp
• Drop Rate
• Mbits/Sec (wire) [duplicated below for easy comparison with other rates]
• Alerts/Sec
• K-Pkts/Sec (wire) [duplicated below for easy comparison with other rates]
• Avg Bytes/Pkt (wire) [duplicated below for easy comparison with other rates]
• Pat-Matched [percent of data received that Snort processes in pattern matching]
• Syns/Sec
• SynAcks/Sec
• New Sessions Cached/Sec
• Sessions Del fr Cache/Sec
• Current Cached Sessions
• Max Cached Sessions
• Stream Flushes/Sec
• Stream Session Cache Faults
• Stream Session Cache Timeouts
• New Frag Trackers/Sec
• Frag-Completes/Sec
• Frag-Inserts/Sec
• Frag-Deletes/Sec
• Frag-Auto Deletes/Sec [memory DoS protection]
• Frag-Flushes/Sec
• Frag-Current [number of current Frag Trackers]
• Frag-Max [max number of Frag Trackers at any time]
• Frag-Timeouts
• Frag-Faults
• Number of CPUs [*** Only if compiled with LINUX_SMP ***, the next three appear for each CPU]
• CPU usage (user)
• CPU usage (sys)
• CPU usage (Idle)
• Mbits/Sec (wire) [average mbits of total traffic]
• Mbits/Sec (ipfrag) [average mbits of IP fragmented traffic]
• Mbits/Sec (ipreass) [average mbits Snort injects after IP reassembly]
• Mbits/Sec (tcprebuilt) [average mbits Snort injects after TCP reassembly]
• Mbits/Sec (applayer) [average mbits seen by rules and protocol decoders]
• Avg Bytes/Pkt (wire)
• Avg Bytes/Pkt (ipfrag)
• Avg Bytes/Pkt (ipreass)
• Avg Bytes/Pkt (tcprebuilt)
• Avg Bytes/Pkt (applayer)
• K-Pkts/Sec (wire)
• K-Pkts/Sec (ipfrag)
• K-Pkts/Sec (ipreass)
• K-Pkts/Sec (tcprebuilt)
• K-Pkts/Sec (applayer)
• Total Packets Received
• Total Packets Dropped (not processed)
• Total Packets Blocked (inline)
• Percentage of Packets Dropped
• Total Filtered TCP Packets
• Total Filtered UDP Packets
• Midstream TCP Sessions/Sec
• Closed TCP Sessions/Sec
• Pruned TCP Sessions/Sec
• TimedOut TCP Sessions/Sec
• Dropped Async TCP Sessions/Sec
• TCP Sessions Initializing
• TCP Sessions Established
• TCP Sessions Closing
• Max TCP Sessions (interval)
• New Cached UDP Sessions/Sec
• Cached UDP Ssns Del/Sec
• Current Cached UDP Sessions
• Max Cached UDP Sessions
• Current Attribute Table Hosts (Target Based)
• Attribute Table Reloads (Target Based)
• Mbits/Sec (Snort)
• Mbits/Sec (sniffing)
• Mbits/Sec (combined)
• uSeconds/Pkt (Snort)
• uSeconds/Pkt (sniffing)
• uSeconds/Pkt (combined)
• KPkts/Sec (Snort)
• KPkts/Sec (sniffing)
• KPkts/Sec (combined)

There are over 100 individual statistics included. A header line is output at startup and rollover that labels each column.

The following options can be used with the performance monitor:

• flow - Prints out statistics about the type of traffic and protocol distributions that Snort is seeing. This option can produce large amounts of output.

• events - Turns on event reporting. This prints out statistics as to the number of rules that were evaluated and didn't match (non-qualified events) vs. the number of rules that were evaluated and matched (qualified events). A high non-qualified event to qualified event ratio can indicate there are many rules with either minimal content or no content that are being evaluated without success. The fast pattern matcher is used to select a set of rules for evaluation based on the longest content or a content modified with the fast_pattern rule option in a rule. Rules with short, generic contents are more likely to be selected for evaluation than those with longer, more unique contents. Rules without content are not filtered via the fast pattern matcher and are always evaluated, so if possible, adding a content rule option to those rules can decrease the number of times they need to be evaluated and improve performance.

• max - Turns on the theoretical maximum performance that Snort calculates given the processor speed and current performance. This is only valid for uniprocessor machines, since many operating systems don't keep accurate kernel statistics for multiple CPUs.

• console - Prints statistics at the console.

• file - Prints statistics in a comma-delimited format to the file that is specified. Not all statistics are output to this file. You may also use snortfile which will output into your defined Snort log directory. Both of these directives can be overridden on the command line with the -Z or -perfmon-file options. At startup, Snort will log a distinctive line to this file with a timestamp to all readers to easily identify gaps in the stats caused by Snort not running.

• pktcnt - Adjusts the number of packets to process before checking for the time sample. This boosts performance, since checking the time sample reduces Snort's performance. By default, this is 10000.

• time - Represents the number of seconds between intervals.

• accumulate or reset - Defines which type of drop statistics are kept by the operating system. By default, reset is used.

• atexitonly - Dump stats for entire life of Snort.

• max_file_size - Defines the maximum size of the comma-delimited file. Before the file exceeds this size, it will be rolled into a new date stamped file of the format YYYY-MM-DD, followed by YYYY-MM-DD.x, where x will be incremented each time the comma delimited file is rolled over. The minimum is 4096 bytes and the maximum is 2147483648 bytes (2GB). The default is the same as the maximum.

• flow-ip - Collects IP traffic distribution statistics based on host pairs. For each pair of hosts for which IP traffic has been seen, the following statistics are collected for both directions (A to B and B to A):
  • TCP Packets
  • TCP Traffic in Bytes
  • TCP Sessions Established
  • TCP Sessions Closed
  • UDP Packets
  • UDP Traffic in Bytes
  • UDP Sessions Created
  • Other IP Packets
  • Other IP Traffic in Bytes
  These statistics are printed and reset at the end of each interval.

• flow-ip-file - Prints the flow IP statistics in a comma-delimited format to the file that is specified. All of the statistics mentioned above, as well as the IP addresses of the host pairs in human-readable format, are included.

  Each line in the file will have its values correspond (in order) to those below:

  • IP Address A (String)
  • IP Address B (String)
  • TCP Packets from A to B
  • TCP Traffic in Bytes from A to B
  • TCP Packets from B to A
  • TCP Traffic in Bytes from B to A
  • UDP Packets from A to B
  • UDP Traffic in Bytes from A to B
  • UDP Packets from B to A
  • UDP Traffic in Bytes from B to A
  • Other IP Packets from A to B
  • Other IP Traffic in Bytes from A to B
  • Other IP Packets from B to A
  • Other IP Traffic in Bytes from B to A
  • TCP Sessions Established
  • TCP Sessions Closed
  • UDP Sessions Created

• flow-ip-memcap - Sets the memory cap on the hash table used to store IP traffic statistics for host pairs. Once the cap has been reached, the table will start to prune the statistics for the least recently seen host pairs to free memory. This value is in bytes and the default value is 52428800 (50MB).