Configuring SNORT rule profiling

The options to configure SNORT rule profiling are on different tabs and in different sections of the Network IPS Local Management Interface. Enable these settings to use the SNORT rule profiling feature on the appliance.

About this task

Important: Use the SNORT rule profiling feature only when needed because it can affect SNORT engine performance.

Procedure

  1. Go to Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules.
  2. On the SNORT Execution tab, select the SNORT Execution check box.
  3. On the SNORT Configuration tab in the Rule Profiling area, configure the options that gather performance metrics about SNORT rules.
    1. Select the Enable rule profiling check box to record SNORT performance statistics.
    2. Select Number of rules to display from the list. The appliance displays the rules with the worst statistics.
    3. Select Sort option, which is a list of statistics that the system uses to order the rule profile. The statistics are as follows:
      Statistic Description
      Checks The number of times that the SNORT engine checks for rule options after the SNORT engine completes an initial analysis to group and pre-screen traffic.
      Matches The number of times that the SNORT engine finds traffic matching all rule options.
      No Matches The number of times that the SNORT engine finds no traffic matching all rule options.
      Average Ticks (Avg/Check) The average time that the SNORT engine takes to check each packet against the listed rule.
      Average Ticks Per Match (Avg/Match) The average time that the SNORT engine takes to check each packet that matches all rule options.
      Average Ticks Per No Match (Avg/Nonmatch) The average time that the SNORT engine takes to check each packet that did not generate an event.
      Note: This statistic represents wasted time spent checking clean traffic.
      Total Ticks The rules that are responsible for consuming the most processing time.
  4. Apply policy settings. When you apply policy settings, you set the system to check for errors. See Troubleshooting SNORT errors for information about system behavior when it encounters an error.
  5. Go to Review Analysis and Diagnostics > Diagnostics > SNORT Rule Profiling to view the rule profiling file.