[Snort-users] Pat-Mached counter in perfmonitor preprocessor

Jeremy Hewlett jh at ...1935...
Tue Oct 19 13:42:27 EDT 2004


On Tue, Oct 19, sekure wrote:
> Can you explain why certain traffic wouldn't be pattern matched? 

We don't have a rule or we're ignoring traffic (ie: flow_depth in
http_inspect where we ignore some server-side traffic).

> I am seeing < 70% pattern matched on some sensors.  Is this "bad"?

This is normal. When tuning for performance, the lower this number,
the better. On an average network, this percentage is anywhere between
15%-40% pattern match. 




More information about the Snort-users mailing list