Snort mailing list archives

Re: Pat-Mached counter in perfmonitor preprocessor

From: Jeremy Hewlett <jh () sourcefire com>
Date: Tue, 19 Oct 2004 16:36:32 -0400

On Tue, Oct 19, sekure wrote:

Can you explain why certain traffic wouldn't be pattern matched?


We don't have a rule or we're ignoring traffic (ie: flow_depth in
http_inspect where we ignore some server-side traffic).

I am seeing < 70% pattern matched on some sensors.  Is this "bad"?


This is normal. When tuning for performance, the lower this number,
the better. On an average network, this percentage is anywhere between
15%-40% pattern match. 


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Pat-Mached counter in perfmonitor preprocessor sekure (Oct 19)
- Re: Pat-Mached counter in perfmonitor preprocessor Jeremy Hewlett (Oct 19)
  - Re: Pat-Mached counter in perfmonitor preprocessor sekure (Oct 19)
    - Re: Pat-Mached counter in perfmonitor preprocessor Jeremy Hewlett (Oct 19)