[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]

Russ Combs rcombs at ...402...
Wed Apr 14 12:26:46 EDT 2010


Edward, see the answers below.  Let me know if you have more questions.

Russ

2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...>

> Hope this list knows :)
>
> ./ebf0
>
> Hi,
>
> If I'm using:
>
> config ppm: max-rule-time 5000, \
>    threshold 10, \
>    suspend-expensive-rules, \
>    suspend-timeout 60, \
>    rule-log log
>
> How will this technically work...
> If a rule uses more than 5000 usecs 9
> times say day 1 of running Snort, and
> say day 4, the rule again uses above 5000 usecs,
>
> will it then be suspended for 60 seconds?
>

Yes.

>
> Does Snort keep threshold stats for each rule for
> forever? or is the threshold within some default
> timeout?
>

Yes - the stats are retained until restart.

>
> Does enabling ppm for rules degrade performance of Snort?
> (as it maybe has to do more checking of the threshold for
> each rule, and maybe also suspending it and bringing it back...)
>

Yes - there will be some overhead, both for rule storage and processing
time.  I don't have hard numbers but it was implemented to be minimal.

>
>
> E
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100414/c26cf142/attachment.html>


More information about the Snort-devel mailing list