Snort mailing list archives
Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...]
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 14 Apr 2010 12:26:46 -0400
Edward, see the answers below. Let me know if you have more questions. Russ 2010/4/9 Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>
Hope this list knows :) ./ebf0 Hi, If I'm using: config ppm: max-rule-time 5000, \ threshold 10, \ suspend-expensive-rules, \ suspend-timeout 60, \ rule-log log How will this technically work... If a rule uses more than 5000 usecs 9 times say day 1 of running Snort, and say day 4, the rule again uses above 5000 usecs, will it then be suspended for 60 seconds?
Yes.
Does Snort keep threshold stats for each rule for forever? or is the threshold within some default timeout?
Yes - the stats are retained until restart.
Does enabling ppm for rules degrade performance of Snort? (as it maybe has to do more checking of the threshold for each rule, and maybe also suspending it and bringing it back...)
Yes - there will be some overhead, both for rule storage and processing time. I don't have hard numbers but it was implemented to be minimal.
E ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 09)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Rodrigo Montoro(Sp0oKeR) (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Edward Bjarte Fjellskål (Apr 14)
- Re: [Fwd: [Snort-users] Packet Performance Monitoring Question...] Russ Combs (Apr 14)