<div dir="ltr"><div><div>Thanks Russ, much appreciated.   This kind of begs the question, when PPM suspends a rule, does the single rule get suspended or the entire tree (which could be multiple rules)?<br><br></div>Thanks.<br><br></div>-Mike Cox<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 26, 2016 at 8:57 AM, Russ <span dir="ltr"><<a href="mailto:rucombs@...3461..." target="_blank">rucombs@...3461...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hey Mike,<br>
    <br>
    This has been a "feature" of Snort for quite a while and likely will
    only be fixed in Snort++, which inherited the issue.  It arose when
    we added a performance feature to compile all the rules that share a
    fast pattern match end state into a single tree that can be
    evaluated more quickly than iterating over the individual rules. 
    Such rules tend to have a lot in common and the common part is
    evaluated just once.  Consequently, when the tree triggers a latency
    event, it could be one or more rules that are at fault.  I'm
    thinking we will add a mapping and report the index that can be used
    to find the rules.  This is in our backlog.<br>
    <br>
    Thanks<br>
    Russ<div><div class="h5"><br>
    <br>
    <div class="m_6553250454472878870moz-cite-prefix">On 9/26/16 8:27 AM, Mike Cox wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      
      <div dir="ltr">
        <div>
          <div>Perhaps snort-sigs was the wrong place to post this. 
            Removing them and adding snort-devel.<br>
            <br>
          </div>
          Thanks.<br>
          <br>
        </div>
        Mike Cox<br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Thu, Sep 22, 2016 at 10:59 AM,
            Mike Cox <span dir="ltr"><<a href="mailto:mike.cox52@...1067...2499..." target="_blank">mike.cox52@...2499...</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">
                <div>
                  <div>
                    <div>I've been messing around with the Packet
                      Performance Monitor (PPM) preprocessor and it seem
                      like a nice capability of Snort.<br>
                      <br>
                    </div>
                    However, when I configure it to suspend/disable
                    expensive rules once the thresholds are reached, how
                    do I know which rule was suspended?  I see it
                    generates the GID 134 alert along with the packet it
                    was considering at the time but I need to be able to
                    know what rule was suspended so I can:<br>
                    <br>
                  </div>
                  <div>1) account for and correlate the coverage gap (if
                    necessary)<br>
                  </div>
                  <div>2) tune the rule<br>
                  </div>
                  <div><br>
                  </div>
                  Thanks!<span class="m_6553250454472878870HOEnZb"><font color="#888888"><br>
                      <br>
                    </font></span></div>
                <span class="m_6553250454472878870HOEnZb"><font color="#888888">Mike Cox<br>
                  </font></span></div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="m_6553250454472878870mimeAttachmentHeader"></fieldset>
      <br>
      </div></div><pre>------------------------------<wbr>------------------------------<wbr>------------------
</pre>
      <br>
      <fieldset class="m_6553250454472878870mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
Snort-devel mailing list
<a class="m_6553250454472878870moz-txt-link-abbreviated" href="mailto:Snort-devel@lists.sourceforge.net" target="_blank">Snort-devel@...2402...<wbr>net</a>
<a class="m_6553250454472878870moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-devel" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-devel</a>
Archive:
<a class="m_6553250454472878870moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel" target="_blank">http://sourceforge.net/<wbr>mailarchive/forum.php?forum_<wbr>name=snort-devel</a>

Please visit <a class="m_6553250454472878870moz-txt-link-freetext" href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest news about Snort!</pre>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div>