Snort mailing list archives
Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...]
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 14 Apr 2010 16:54:14 -0400
2010/4/14 Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>
Hi Russ, Thanks for the answers. I do have a trillion more questions, but ill try to meditate over them before I ask them... :P I cant really see where such a feature would be useful other than on a sensor that is overloaded, and continuously dropping packets... (undersized for its network).... You eater: - disable some rules, and drop "no"/few packets, or - have your rules enabled, and drop more packets... eater way, you are not inspecting all the traffic :) Might make your dropped-packet ratio look nice though... Question: snort[7149]: PPM: Rule-Event address=0x20c859e0 Pkt[1124382921] used=18689.7 usecs suspended 04/14-20:25:04.606347 How would I know what rule that is in a easy way?
Regrettably, there is no easy way to tell. This actually tells you where in the detection tree the threshold was exceeded, but the output doesn't indicate which rule(s) are affected. I've opened a bug on this.
Best regards, Edward Russ Combs wrote:Edward, see the answers below. Let me know if you have more questions. Russ 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com <mailto:edward.fjellskal () redpill-linpro com>> Hope this list knows :) ./ebf0 Hi, If I'm using: config ppm: max-rule-time 5000, \ threshold 10, \ suspend-expensive-rules, \ suspend-timeout 60, \ rule-log log How will this technically work... If a rule uses more than 5000 usecs 9 times say day 1 of running Snort, and say day 4, the rule again uses above 5000 usecs, will it then be suspended for 60 seconds? Yes. Does Snort keep threshold stats for each rule for forever? or is the threshold within some default timeout? Yes - the stats are retained until restart. Does enabling ppm for rules degrade performance of Snort? (as it maybe has to do more checking of the threshold for each rule, and maybe also suspending it and bringing it back...) Yes - there will be some overhead, both for rule storage and processing time. I don't have hard numbers but it was implemented to be minimal.
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 09)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Rodrigo Montoro(Sp0oKeR) (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)