[Snort-users] Pat-Mached counter in perfmonitor preprocessor

sekure sekure at ...11827...
Tue Oct 19 09:05:29 EDT 2004

Snort -2.2.0 on Linux 2.4.21
preprocessor perfmonitor: time 300 flow events file snort.stats pktcnt 10000

I've noticed a few occasions where the Pat-Matched counter in the
perfmon preprocessor logs above 100%.  Is this normal?

What exactly does "%bytes pattern matched" mean?  Percent of bytes
captured that matched a rule? That doesn't make sense, since i'd
expect it to be something like .01%.  Percent of bytes captured that
got tested against a various signatures?  Why wouldn't it always be

In other words: Help???

More information about the Snort-users mailing list