[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]

Edward Bjarte Fjellskål edward.fjellskal at ...3083...
Wed Apr 14 16:28:33 EDT 2010


Hi Russ,

Thanks for the answers. I do have a trillion more questions, but
ill try to meditate over them before I ask them... :P

I cant really see where such a feature would be useful other than
on a sensor that is overloaded, and continuously dropping packets...
(undersized for its network)....
You eater:
 - disable some rules, and drop "no"/few packets,
or
 - have your rules enabled, and drop more packets...

eater way, you are not inspecting all the traffic :)

Might make your dropped-packet ratio look nice though...

Question:
snort[7149]: PPM: Rule-Event address=0x20c859e0 Pkt[1124382921]
used=18689.7 usecs suspended 04/14-20:25:04.606347

How would I know what rule that is in a easy way?

Best regards,
Edward

Russ Combs wrote:
> Edward, see the answers below.  Let me know if you have more questions.
> 
> Russ
> 
> 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...
> <mailto:edward.fjellskal at ...3083...>>
> 
>     Hope this list knows :)
> 
>     ./ebf0
> 
>     Hi,
> 
>     If I'm using:
> 
>     config ppm: max-rule-time 5000, \
>        threshold 10, \
>        suspend-expensive-rules, \
>        suspend-timeout 60, \
>        rule-log log
> 
>     How will this technically work...
>     If a rule uses more than 5000 usecs 9
>     times say day 1 of running Snort, and
>     say day 4, the rule again uses above 5000 usecs,
> 
>     will it then be suspended for 60 seconds?
> 
> 
> Yes.
> 
> 
>     Does Snort keep threshold stats for each rule for
>     forever? or is the threshold within some default
>     timeout?
> 
> 
> Yes - the stats are retained until restart.
> 
> 
>     Does enabling ppm for rules degrade performance of Snort?
>     (as it maybe has to do more checking of the threshold for
>     each rule, and maybe also suspending it and bringing it back...)
> 
> 
> Yes - there will be some overhead, both for rule storage and processing
> time.  I don't have hard numbers but it was implemented to be minimal.




More information about the Snort-devel mailing list