[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]

Russ Combs rcombs at ...402...
Wed Apr 14 16:54:14 EDT 2010


2010/4/14 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...>

> Hi Russ,
>
> Thanks for the answers. I do have a trillion more questions, but
> ill try to meditate over them before I ask them... :P
>
> I cant really see where such a feature would be useful other than
> on a sensor that is overloaded, and continuously dropping packets...
> (undersized for its network)....
> You eater:
>  - disable some rules, and drop "no"/few packets,
> or
>  - have your rules enabled, and drop more packets...
>
> eater way, you are not inspecting all the traffic :)
>
> Might make your dropped-packet ratio look nice though...
>
> Question:
> snort[7149]: PPM: Rule-Event address=0x20c859e0 Pkt[1124382921]
> used=18689.7 usecs suspended 04/14-20:25:04.606347
>
> How would I know what rule that is in a easy way?
>

Regrettably, there is no easy way to tell.  This actually tells you where in
the detection tree the threshold was exceeded, but the output doesn't
indicate which rule(s) are affected.  I've opened a bug on this.

>
> Best regards,
> Edward
>
> Russ Combs wrote:
> > Edward, see the answers below.  Let me know if you have more questions.
> >
> > Russ
> >
> > 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal at ...3083...
> > <mailto:edward.fjellskal at ...3083...>>
> >
> >     Hope this list knows :)
> >
> >     ./ebf0
> >
> >     Hi,
> >
> >     If I'm using:
> >
> >     config ppm: max-rule-time 5000, \
> >        threshold 10, \
> >        suspend-expensive-rules, \
> >        suspend-timeout 60, \
> >        rule-log log
> >
> >     How will this technically work...
> >     If a rule uses more than 5000 usecs 9
> >     times say day 1 of running Snort, and
> >     say day 4, the rule again uses above 5000 usecs,
> >
> >     will it then be suspended for 60 seconds?
> >
> >
> > Yes.
> >
> >
> >     Does Snort keep threshold stats for each rule for
> >     forever? or is the threshold within some default
> >     timeout?
> >
> >
> > Yes - the stats are retained until restart.
> >
> >
> >     Does enabling ppm for rules degrade performance of Snort?
> >     (as it maybe has to do more checking of the threshold for
> >     each rule, and maybe also suspending it and bringing it back...)
> >
> >
> > Yes - there will be some overhead, both for rule storage and processing
> > time.  I don't have hard numbers but it was implemented to be minimal.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20100414/86fac14a/attachment.html>


More information about the Snort-devel mailing list