[Snort-users] Packet Performance Monitoring Question...

Edward Bjarte Fjellskål edward.fjellskal at ...14590...
Wed Apr 7 16:13:57 EDT 2010


Hi,

If I'm using:

config ppm: max-rule-time 5000, \
    threshold 10, \
    suspend-expensive-rules, \
    suspend-timeout 60, \
    rule-log log

How will this technically work...
If a rule uses more than 5000 usecs 9
times say day 1 of running Snort, and
say day 4, the rule again uses above 5000 usecs,

will it then be suspended for 60 seconds?

Does Snort keep threshold stats for each rule for
forever? or is the threshold within some default
timeout?

Does enabling ppm for rules degrade performance of Snort?
(as it maybe has to do more checking of the threshold for
each rule, and maybe also suspending it and bringing it back...)


E




More information about the Snort-users mailing list