[Snort-devel] [Fwd: [Snort-users] Packet Performance Monitoring Question...]

Edward Bjarte Fjellskål edward.fjellskal at ...3083...
Wed Apr 14 17:09:48 EDT 2010


Russ Combs wrote:
>     Question:
>     snort[7149]: PPM: Rule-Event address=0x20c859e0 Pkt[1124382921]
>     used=18689.7 usecs suspended 04/14-20:25:04.606347
> 
>     How would I know what rule that is in a easy way?
> 
> 
> Regrettably, there is no easy way to tell.  This actually tells you
> where in the detection tree the threshold was exceeded, but the output
> doesn't indicate which rule(s) are affected.  I've opened a bug on this.

Cool,
hope that it is possible to implement in a easy way :)

E




More information about the Snort-devel mailing list