Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Packet Performance Monitoring Question...

From: Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>
Date: Wed, 07 Apr 2010 22:13:57 +0200
Hi,

If I'm using:

config ppm: max-rule-time 5000, \
    threshold 10, \
    suspend-expensive-rules, \
    suspend-timeout 60, \
    rule-log log

How will this technically work...
If a rule uses more than 5000 usecs 9
times say day 1 of running Snort, and
say day 4, the rule again uses above 5000 usecs,

will it then be suspended for 60 seconds?

Does Snort keep threshold stats for each rule for
forever? or is the threshold within some default
timeout?

Does enabling ppm for rules degrade performance of Snort?
(as it maybe has to do more checking of the threshold for
each rule, and maybe also suspending it and bringing it back...)


E

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: