Edward Bjarte Fjellskål
edward.fjellskal at ...14590...
Thu Nov 12 00:26:43 EST 2009
Jefferson, Shawn wrote:
As a comment to pmgraph.pl, I have earlyer made some basic plugins for
Munin that graphs different stuff that I use/need to tune snort.
In the light of new stable version of Munin soon to come this year
(current is 1.4.0-alpha), I will probably spend some time and rewrite
the plugin in perl, and merge all into one plugin.
Munin also uses Tobi Oetiker's rrdtool btw.
But at the moment, munin is a must for me on all sensors.
> Well, in the recent Sourcefire webinar on tuning the snort sensors it came up. From the whitepaper at http://www.snort.org/assets/126/WhitePaper_Snort_PerformanceTuning_2009.pdf
> "The next statistic is pattern match percentage. This is the number of bytes that Snort is passing through the pattern matcher to identify possible rules, compared to the total number of bytes seen by Snort. This number could be higher than 100%, in the case of IP defragmentation, TCP reassembly, DCE/RPC reassembly, etc. Ideally this would be in the 10% range."
More information about the Snort-users