[Snort-devel] Packet Performance Monitor

Mike Cox mike.cox52 at ...2499...
Mon Oct 3 15:01:08 EDT 2016


Thanks Russ, much appreciated.   This kind of begs the question, when PPM
suspends a rule, does the single rule get suspended or the entire tree
(which could be multiple rules)?

Thanks.

-Mike Cox

On Mon, Sep 26, 2016 at 8:57 AM, Russ <rucombs at ...3461...> wrote:

> Hey Mike,
>
> This has been a "feature" of Snort for quite a while and likely will only
> be fixed in Snort++, which inherited the issue.  It arose when we added a
> performance feature to compile all the rules that share a fast pattern
> match end state into a single tree that can be evaluated more quickly than
> iterating over the individual rules.  Such rules tend to have a lot in
> common and the common part is evaluated just once.  Consequently, when the
> tree triggers a latency event, it could be one or more rules that are at
> fault.  I'm thinking we will add a mapping and report the index that can be
> used to find the rules.  This is in our backlog.
>
> Thanks
> Russ
>
>
> On 9/26/16 8:27 AM, Mike Cox wrote:
>
> Perhaps snort-sigs was the wrong place to post this.  Removing them and
> adding snort-devel.
>
> Thanks.
>
> Mike Cox
>
> On Thu, Sep 22, 2016 at 10:59 AM, Mike Cox <mike.cox52 at ...2499...> wrote:
>
>> I've been messing around with the Packet Performance Monitor (PPM)
>> preprocessor and it seem like a nice capability of Snort.
>>
>> However, when I configure it to suspend/disable expensive rules once the
>> thresholds are reached, how do I know which rule was suspended?  I see it
>> generates the GID 134 alert along with the packet it was considering at the
>> time but I need to be able to know what rule was suspended so I can:
>>
>> 1) account for and correlate the coverage gap (if necessary)
>> 2) tune the rule
>>
>> Thanks!
>>
>> Mike Cox
>>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20161003/07511482/attachment.html>


More information about the Snort-devel mailing list