[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]
Edward Bjarte Fjellskål
edward.fjellskal at ...3083...
Wed Apr 14 16:28:33 EDT 2010
Thanks for the answers. I do have a trillion more questions, but
ill try to meditate over them before I ask them... :P
I cant really see where such a feature would be useful other than
on a sensor that is overloaded, and continuously dropping packets...
(undersized for its network)....
- disable some rules, and drop "no"/few packets,
- have your rules enabled, and drop more packets...
eater way, you are not inspecting all the traffic :)
Might make your dropped-packet ratio look nice though...
snort: PPM: Rule-Event address=0x20c859e0 Pkt
used=18689.7 usecs suspended 04/14-20:25:04.606347
How would I know what rule that is in a easy way?
Russ Combs wrote:
> Edward, see the answers below. Let me know if you have more questions.
> 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...
> <mailto:edward.fjellskal at ...3083...>>
> Hope this list knows :)
> If I'm using:
> config ppm: max-rule-time 5000, \
> threshold 10, \
> suspend-expensive-rules, \
> suspend-timeout 60, \
> rule-log log
> How will this technically work...
> If a rule uses more than 5000 usecs 9
> times say day 1 of running Snort, and
> say day 4, the rule again uses above 5000 usecs,
> will it then be suspended for 60 seconds?
> Does Snort keep threshold stats for each rule for
> forever? or is the threshold within some default
> Yes - the stats are retained until restart.
> Does enabling ppm for rules degrade performance of Snort?
> (as it maybe has to do more checking of the threshold for
> each rule, and maybe also suspending it and bringing it back...)
> Yes - there will be some overhead, both for rule storage and processing
> time. I don't have hard numbers but it was implemented to be minimal.
More information about the Snort-devel