[Snort-devel] Packet Performance Monitor

Russ rucombs at ...3461...
Mon Oct 3 15:21:16 EDT 2016



On 10/3/16 3:01 PM, Mike Cox wrote:
> Thanks Russ, much appreciated.   This kind of begs the question, when 
> PPM suspends a rule, does the single rule get suspended or the entire 
> tree (which could be multiple rules)?
The whole tree.

BTW, Snort++ adds the first rule in the tree to the latency event logs 
in the update later this week.  Something may be done in Snort as well.  
TBD.
>
> Thanks.
>
> -Mike Cox
>
> On Mon, Sep 26, 2016 at 8:57 AM, Russ <rucombs at ...3461... 
> <mailto:rucombs at ...3461...>> wrote:
>
>     Hey Mike,
>
>     This has been a "feature" of Snort for quite a while and likely
>     will only be fixed in Snort++, which inherited the issue.  It
>     arose when we added a performance feature to compile all the rules
>     that share a fast pattern match end state into a single tree that
>     can be evaluated more quickly than iterating over the individual
>     rules.  Such rules tend to have a lot in common and the common
>     part is evaluated just once.  Consequently, when the tree triggers
>     a latency event, it could be one or more rules that are at fault. 
>     I'm thinking we will add a mapping and report the index that can
>     be used to find the rules.  This is in our backlog.
>
>     Thanks
>     Russ
>
>
>     On 9/26/16 8:27 AM, Mike Cox wrote:
>>     Perhaps snort-sigs was the wrong place to post this.  Removing
>>     them and adding snort-devel.
>>
>>     Thanks.
>>
>>     Mike Cox
>>
>>     On Thu, Sep 22, 2016 at 10:59 AM, Mike Cox <mike.cox52 at ...2499...
>>     <mailto:mike.cox52 at ...2499...>> wrote:
>>
>>         I've been messing around with the Packet Performance Monitor
>>         (PPM) preprocessor and it seem like a nice capability of Snort.
>>
>>         However, when I configure it to suspend/disable expensive
>>         rules once the thresholds are reached, how do I know which
>>         rule was suspended?  I see it generates the GID 134 alert
>>         along with the packet it was considering at the time but I
>>         need to be able to know what rule was suspended so I can:
>>
>>         1) account for and correlate the coverage gap (if necessary)
>>         2) tune the rule
>>
>>         Thanks!
>>
>>         Mike Cox
>>
>>
>>
>>
>>     ------------------------------------------------------------------------------
>>
>>     _______________________________________________
>>     Snort-devel mailing list
>>     Snort-devel at lists.sourceforge.net
>>     <mailto:Snort-devel at lists.sourceforge.net>
>>     https://lists.sourceforge.net/lists/listinfo/snort-devel
>>     <https://lists.sourceforge.net/lists/listinfo/snort-devel>
>>     Archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>     <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
>>
>>     Please visithttp://blog.snort.org  for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20161003/d9345fbb/attachment.html>


More information about the Snort-devel mailing list