Post on 09-Apr-2018
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 1/16
Performance Tuning Snort
Steve Sturges
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 2/16
2
Agenda
Goals of Performance Tuning Snort
Techniques
•
Perfmon Preprocessor • Preprocessor Profiling
• Rule Profiling
White paper
Q&A
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 3/16
3
Goals of Performance Tuning
Improve Snort throughput
• Higher MB/s
• Inspect traffic more efficiently
Reduce Packet Latency
• Important when inline
• Lower per packet processing time
• Eliminate network hiccups
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 4/16
4
Perfmon Preprocessor
Configuring Perfmon
• Printing to Console vs File
• File provides quicker output, but need to post-process CSVfile
• Packet Count, Time Intervals, Exit Only
• Looking at Flow Data• Breakdown of port and packet size distributions
• Look for High Port to High Port traffic
• Look for Heavy talkers/listeners
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 5/16
5
Perfmon Preprocessor (cont)
Stats Categories
• Throughput
• CPU Usage
• Pattern Matching
• Stream
• Frag
Looking at Flow Data
• Breakdown of port and packet size distributions
• Look for High Port to High Port traffic
• Look for Heavy talkers/listeners
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 6/16
6
Perfmon Preprocessor (cont)
Throughput Stats
• Higher = better performance
• Increase by steps throughout
CPU Usage
• Lower = better performance
• Decrease by steps throughout
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 7/16
7
Perfmon Preprocessor (cont)
Pattern Matching Stats
• Lower = better performance
• Decrease by eliminating benign traffic frominspection
• Reduce number of TCP reassembled packets
• Reduce HTTP client & server flow depths
• Limit size of DCE/RPC reassembled packets
• Ignore encrypted traffic
• Ignore FTP data channel transfers
• BPFs & Ignore Ports
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 8/16
8
Perfmon Preprocessor (cont)
Stream Stats
• Cache Faults, Timeouts
• Increase number of sessions tracked
• Increase memcap
• Correctly set timeout
• TCP SYNs vs SYN/ACKs• Snort performs best when seeing symmetric traffic
Frag Stats
•
Frag Faults, Frag Auto Deletes, Frag Timeouts• Increase max_frags and memcap
• Use prealloc_memcap or prealloc_frags
• Correctly set timeout
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 9/16
9
Perfmon Preprocessor (cont)
Flow Data
• Breakdown of port and packet size distributions
• Reduce number of packets included in TCP Reassembly
• Look for High Port to High Port traffic
• Look for Heavy talkers/listeners
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 10/16
10
Preprocessor Profiling
Performance Breakdown of Snort’s Phases
• Preprocessors
• Sub categories
• Detection
• Pattern Matching (MPSE)
• Rule Options (various option types)
• Output/Event Logging
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 11/16
11
Preprocessor Profiling (cont)
Checks
• Reduce to improve performance
• Correctly configure preprocessor ports
• Ignore traffic as noted earlier
Average per Check• Reduce to improve performance
• Eliminate large blocks of data, correct configuration of TCPreassembly ports/services
• Eliminate unnecessary preprocessors based on rule set
• Eliminate unnecessary rules to help MPSE
• Use faster pattern matching algorithm
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 12/16
12
Rule Profiling
Performance Breakdown of Individual Rules
• Rules as part of Snort’s total time
• Overlap across rules with common detection options
• For rules within same group, place common options first
and in same order • Start with flow:established,<direction>
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 13/16
13
Rule Profiling (cont)
Microseconds
• Reduce to improve individual rule performance
• Rule time vs Total Snort time
• Investigate if ratio is > 5% total
Checks vs Matches vs Alerts• Can rules that are not matching be turned off?
• flowbits:noalert can result in match but no alert
• Reduce checks by improving uniqueness and
accuracy of content option used for pattern matching• Should have at least one content in rule
• Longest pattern used
• Can specify alternate pattern with fastpattern modifier tocontent
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 14/16
14
Rule Profiling (cont)
Average per Check
• Most often caused by expensive PCRE
• Reduce complexity of pattern
• Reduce possibility of recursion
Split into multiple rules in cases of many “ORs”• Use config options to restrict impact of PCRE
pcre_match_limit
pcre_match_limit_recursion
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 15/16
15
Tuning Guidelines Document
Posted on Snort.org
• http://www.snort.org/docs/development-papers/
Rule Writing Specifics• VRT White Papers
• Rule Writing Methodology
• VRT Performance Rules Creation Series
• Performance Rules Creation I
• Performance Rules Creation II
8/8/2019 Snort Perf Tuning Webinar Final
http://slidepdf.com/reader/full/snort-perf-tuning-webinar-final 16/16
16
Questions?