[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]
spooker at ...2499...
Wed Apr 14 16:35:31 EDT 2010
Take a look here
2010/4/14 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...>:
> Hi Russ,
> Thanks for the answers. I do have a trillion more questions, but
> ill try to meditate over them before I ask them... :P
> I cant really see where such a feature would be useful other than
> on a sensor that is overloaded, and continuously dropping packets...
> (undersized for its network)....
> You eater:
> - disable some rules, and drop "no"/few packets,
> - have your rules enabled, and drop more packets...
> eater way, you are not inspecting all the traffic :)
> Might make your dropped-packet ratio look nice though...
> snort: PPM: Rule-Event address=0x20c859e0 Pkt
> used=18689.7 usecs suspended 04/14-20:25:04.606347
> How would I know what rule that is in a easy way?
> Best regards,
> Russ Combs wrote:
>> Edward, see the answers below. Let me know if you have more questions.
>> 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...
>> <mailto:edward.fjellskal at ...3083...>>
>> Hope this list knows :)
>> If I'm using:
>> config ppm: max-rule-time 5000, \
>> threshold 10, \
>> suspend-expensive-rules, \
>> suspend-timeout 60, \
>> rule-log log
>> How will this technically work...
>> If a rule uses more than 5000 usecs 9
>> times say day 1 of running Snort, and
>> say day 4, the rule again uses above 5000 usecs,
>> will it then be suspended for 60 seconds?
>> Does Snort keep threshold stats for each rule for
>> forever? or is the threshold within some default
>> Yes - the stats are retained until restart.
>> Does enabling ppm for rules degrade performance of Snort?
>> (as it maybe has to do more checking of the threshold for
>> each rule, and maybe also suspending it and bringing it back...)
>> Yes - there will be some overhead, both for rule storage and processing
>> time. I don't have hard numbers but it was implemented to be minimal.
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Rodrigo Montoro (Sp0oKeR)
More information about the Snort-devel