Configuring SNORT rule profiling

The options to configure SNORT rule profiling are on different tabs and in different sections. Enable these settings to use the SNORT rule profiling feature on the Network IPS appliance.

About this task

Important: Use the SNORT rule profiling feature only when needed because it can impact SNORT engine performance.
Procedure
  1. Go to Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules.
  2. On the SNORT Execution tab, enable the SNORT Execution check box.
  3. On the SNORT Configuration tab, in the Rule Profiling area, configure the options for gathering performance metrics about SNORT rules.
    1. Select the Enable rule profiling check box to record SNORT performance statistics.
    2. Select Number of rules to display from the list. The appliance displays the rules with the worst statistics.
    3. Select the Sort option, which is a list of statistics the system uses to order the rule profile. The statistics are:
      Statistic Description
      Checks The number of times the SNORT engine checks for rule options after the SNORT engine completes an initial analysis to group and pre-screen traffic.
      Matches The number of times the SNORT engine finds traffic matching all rule options.
      No Matches The number of times the SNORT engine finds no traffic matching all rule options.
      Average Ticks (Avg/Check) The average time the SNORT engine takes to check each packet against the listed rule.
      Average Ticks Per Match (Avg/Match) The average time the SNORT engine takes to check each packet that matches all rule options.
      Average Ticks Per No Match (Avg/Nonmatch) The average time the SNORT engine takes to check each packet that did not generate an event.
      Note: This statistic represents wasted time spent checking clean traffic.
      Total Ticks The rules responsible for consuming the most processing time.
  4. Apply policy settings. Applying policy settings sets the system to check for errors. See Troubleshooting SNORT errors for information about system behavior when it encounters an error.
  5. Go to Review Analysis and Diagnostics > Diagnostics > SNORT Rule Profiling to view the rule profiling file.