Re: Packet Performance Monitor

[Russ <rucombs () cisco com>]

On 10/3/16 3:01 PM, Mike Cox wrote:
> Thanks Russ, much appreciated.   This kind of begs the question, when 
> PPM suspends a rule, does the single rule get suspended or the entire 
> tree (which could be multiple rules)?
The whole tree.

BTW, Snort++ adds the first rule in the tree to the latency event logs 
in the update later this week.  Something may be done in Snort as well.  
TBD.
> Thanks.
>
> -Mike Cox
>
> On Mon, Sep 26, 2016 at 8:57 AM, Russ <rucombs () cisco com 
> <mailto:rucombs () cisco com>> wrote:
>
>     Hey Mike,
>
>     This has been a "feature" of Snort for quite a while and likely
>     will only be fixed in Snort++, which inherited the issue.  It
>     arose when we added a performance feature to compile all the rules
>     that share a fast pattern match end state into a single tree that
>     can be evaluated more quickly than iterating over the individual
>     rules.  Such rules tend to have a lot in common and the common
>     part is evaluated just once.  Consequently, when the tree triggers
>     a latency event, it could be one or more rules that are at fault. 
>     I'm thinking we will add a mapping and report the index that can
>     be used to find the rules.  This is in our backlog.
>
>     Thanks
>     Russ
>
>
>     On 9/26/16 8:27 AM, Mike Cox wrote:
> >     Perhaps snort-sigs was the wrong place to post this.  Removing
> >     them and adding snort-devel.
> >
> >     Thanks.
> >
> >     Mike Cox
> >
> >     On Thu, Sep 22, 2016 at 10:59 AM, Mike Cox <mike.cox52 () gmail com
> >     <mailto:mike.cox52 () gmail com>> wrote:
> >
> >         I've been messing around with the Packet Performance Monitor
> >         (PPM) preprocessor and it seem like a nice capability of Snort.
> >
> >         However, when I configure it to suspend/disable expensive
> >         rules once the thresholds are reached, how do I know which
> >         rule was suspended?  I see it generates the GID 134 alert
> >         along with the packet it was considering at the time but I
> >         need to be able to know what rule was suspended so I can:
> >
> >         1) account for and correlate the coverage gap (if necessary)
> >         2) tune the rule
> >
> >         Thanks!
> >
> >         Mike Cox
> >
> >
> >
> >
> >     ------------------------------------------------------------------------------
> >
> >     _______________________________________________
> >     Snort-devel mailing list
> >     Snort-devel () lists sourceforge net
> >     <mailto:Snort-devel () lists sourceforge net>
> >     https://lists.sourceforge.net/lists/listinfo/snort-devel
> >     <https://lists.sourceforge.net/lists/listinfo/snort-devel>
> >     Archive:
> >     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >     <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
> >
> >     Please visithttp://blog.snort.org  for the latest news about Snort!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!