How to read Snort run statistics

Snort shutdown statistics show what happened to traffic after a replay or sensor test finishes. They matter when an alert line alone does not prove that packets were received, decoded, inspected, and logged.

Snort 3 prints packet, module, and summary counters at shutdown when quiet mode is not used. A pcap replay with -r and a focused rule file with -R creates a controlled run where the DAQ, codec, detection, search-engine, and stream counters can be read together.

Read the counters in packet-path order. daq.received and daq.analyzed prove packet flow, codec rows prove protocol decoding, and detection.alerts with ips_actions.alert proves that a rule reached the alert action; missing values point to the earlier layer that needs attention.

Steps to read Snort run statistics:

  1. Run Snort against the pcap without quiet mode.
    $ sudo snort -c /usr/local/etc/snort/snort.lua \
        -R /usr/local/etc/snort/rules/local.rules \
        -r udp-test.pcap -k none -A alert_fast
    ##### snipped #####
    pcap DAQ configured to read-file.
    Commencing packet processing
    ++ [0] udp-test.pcap
    06/25-00:00:00.941429 [**] [1:1000001:1] "LOCAL UDP test" [**] [Priority: 0] {UDP} 192.0.2.10:53124 -> 192.0.2.20:31337
    -- [0] udp-test.pcap
    ##### snipped #####

    Leave -q off when the shutdown counters are the evidence. Use -k none only for lab captures whose checksums would otherwise prevent matching.

  2. Confirm that the DAQ received and analyzed packets.
    Packet Statistics
    --------------------------------------------------
    daq
                        pcaps: 1
                     received: 1
                     analyzed: 1
                        allow: 1
                     rx_bytes: 52

    If received is 0, the pcap, interface, permissions, or DAQ selection is the first place to inspect.

  3. Check that the packet decoded through the expected protocol stack.
    codec
                        total: 1
                          eth: 1
                         ipv4: 1
                          udp: 1

    A TCP test should show a tcp row instead. A wrong link type or empty pcap usually fails before useful detection counters appear.

  4. Check the detection and action counters.
    detection
                     analyzed: 1
                 raw_searches: 1
                 pkt_searches: 1
                       alerts: 1
                 total_alerts: 1
                       logged: 1
    --------------------------------------------------
    ips_actions
                        alert: 1
  5. Inspect search-engine counters when a content rule stays silent.
    search_engine
                   max_queued: 1
                total_flushed: 1
                total_inserts: 1
                 total_unique: 1
             qualified_events: 1
  6. Inspect stream counters when session handling matters.
    stream_udp
                     sessions: 1
                          max: 1
                      created: 1
                     released: 1
                  total_bytes: 10
  7. Read the summary timing and shutdown line.
    Summary Statistics
    --------------------------------------------------
    timing
                      runtime: 00:00:00
                      seconds: 0.029878
                     pkts/sec: 33
    o")~   Snort exiting

    Use perf_monitor when a long-running sensor needs interval counters without stopping Snort.
    Related: How to tune Snort performance