This document describes how to determine the traffic that is being handled by a specific snort instance. This detail is very useful while troubleshooting high CPU utilization on a specific snort instance.
Cisco recommends that you have knowledge of these topics:
Knowledge of Firepower Technology
The information in this document is based on these software and hardware versions:
Firepower Management Center 6.X and above
Applicable to all managed devices which include Firepower Threat Defense, Firepower Modules, and Firepower Sensors
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Login to the Firepower Management Center with administration privileges.
Once the login is successful, navigate to Analysis > Search, as shown in the image:
Ensure that the Connection Events table is chosen from the drop down and then select the Device from the section. Enter values for the Device field and Snort Instance ID (0 to N, the number of snort instances depend on the managed device), as shown in the image:
Once the values are entered, click Search and the result would be connection events that are triggered by the specific snort instance.
Note: If managed device is Firepower Threat Defense, you can determine the snort instances using FTD CLISH mode.