Q: How do I generate a rule profiling report on my sensor?

A:

A rule profiling report is useful in determining which rules are putting the greatest load on your sensor. Changes are made to the sensor configuration to allow sampling. The report will show the aggregate time the D.E. spends on each rule during the sampling period. Sampling should then be disabled, as the sampling itself it adds a hefty load to the system.

Sampling is done one D.E., one sensor, at a time. Unfortunately, there is no way to perform the sampling using the GUI on either the DC or the sensor. You have to log in at the command line of the sensor and do it manually. Here's how:

1. Add the following lines to the user.conf file in /var/sf/detection_engines/{DE crazynumber}

   #Rule and Preprocessor profiling
   config profile_rules: print all, sort total_ticks config profile_preprocs: print 100, sort total_ticks
   

2. Restart the software using /etc/rc.d/init.d/sensor restart
3. Let the sensor run for the sampling period (about 30 minutes?), and then stop the sensor software with /etc/rc.d/init.d/sensor stop
4. Comment out the lines you added into the user.conf file by adding # in front of them. (Profiling does have an impact on sensor performance and should be disabled when not actively being run, which is why it is not on by default.)
5. Start the system back up: /etc/rc.d/init.d/sensor start. If you have a problem after doing this, as I did, you may rather just reboot the sensor.
6. Snort has put profiling data into /var/log/messages. Running 'cat /var/log/messages | grep snort | less' will limit the amount of log you need to scroll through. Scroll until you see the long list of rule sids.
7. To get other performance statistics, cd to /var/sf/detection_engines/{DE crazynumber}/ and do an 'ls'. You will see files named by date. Simply run 'cat {filename} | perfstats' to get the statistics for that day.