Packet Performance Monitoring (PPM)

PPM provides thresholding mechanisms that can be used to provide a basic level of latency control for snort. It does not provide a hard and fast latency guarantee but should in effect provide a good average latency control. Both rules and packets can be checked for latency. The action taken upon detection of excessive latency is configurable. The following sections describe configuration, sample output, and some implementation details worth noting.

To use PPM, you must build with the -enable-ppm or the -enable-sourcefire option to configure.

PPM is configured as follows:

    # Packet configuration:
    config ppm: max-pkt-time <micro-secs>, \
        fastpath-expensive-packets, \
        pkt-log, \
        debug-pkts
    
    # Rule configuration:
    config ppm: max-rule-time <micro-secs>, \
        threshold count, \
        suspend-expensive-rules, \
        suspend-timeout <seconds>, \
        rule-log [log] [alert]

Packets and rules can be configured separately, as above, or together in just one config ppm statement. Packet and rule monitoring is independent, so one or both or neither may be enabled.