[Snort-devel] Packet Performance Monitor

Russ rucombs at ...3461...
Mon Sep 26 08:57:19 EDT 2016


Hey Mike,

This has been a "feature" of Snort for quite a while and likely will 
only be fixed in Snort++, which inherited the issue.  It arose when we 
added a performance feature to compile all the rules that share a fast 
pattern match end state into a single tree that can be evaluated more 
quickly than iterating over the individual rules. Such rules tend to 
have a lot in common and the common part is evaluated just once.  
Consequently, when the tree triggers a latency event, it could be one or 
more rules that are at fault.  I'm thinking we will add a mapping and 
report the index that can be used to find the rules.  This is in our 
backlog.

Thanks
Russ

On 9/26/16 8:27 AM, Mike Cox wrote:
> Perhaps snort-sigs was the wrong place to post this. Removing them and 
> adding snort-devel.
>
> Thanks.
>
> Mike Cox
>
> On Thu, Sep 22, 2016 at 10:59 AM, Mike Cox <mike.cox52 at ...2499... 
> <mailto:mike.cox52 at ...2499...>> wrote:
>
>     I've been messing around with the Packet Performance Monitor (PPM)
>     preprocessor and it seem like a nice capability of Snort.
>
>     However, when I configure it to suspend/disable expensive rules
>     once the thresholds are reached, how do I know which rule was
>     suspended?  I see it generates the GID 134 alert along with the
>     packet it was considering at the time but I need to be able to
>     know what rule was suspended so I can:
>
>     1) account for and correlate the coverage gap (if necessary)
>     2) tune the rule
>
>     Thanks!
>
>     Mike Cox
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160926/24bce884/attachment.html>


More information about the Snort-devel mailing list