[Snort-users] Pat-Mached counter in perfmonitor preprocessor

sekure sekure at ...11827...
Tue Oct 19 12:14:45 EDT 2004


On Tue, 19 Oct 2004 14:27:14 -0400, Jeremy Hewlett <jh at ...1935...> wrote:
> On Tue, Oct 19, sekure wrote:
> > I've noticed a few occasions where the Pat-Matched counter in the
> > perfmon preprocessor logs above 100%.  Is this normal?
> 
> Reassembled packets can sometimes cause this to be over 100%. 

Makes sense.  

> > What exactly does "%bytes pattern matched" mean?
> 
> Says what percent of traffic is being pattern matched by Snort. So, if
> there's traffic that is not being pattern matched this will effect the
> percentage.

Can you explain why certain traffic wouldn't be pattern matched? 
Matched against what pattern? The signatures? I am seeing < 70%
pattern matched on some sensors.  Is this "bad"?




More information about the Snort-users mailing list