Example 1: The following enables packet tracking:
config ppm: max-pkt-time 100
The following enables rule tracking:
config ppm: max-rule-time 50, threshold 5
If fastpath-expensive-packets or suspend-expensive-rules is not used, then no action is taken other than to increment the count of the number of packets that should be fastpath'd or the rules that should be suspended. A summary of this information is printed out when snort exits.
Example 2:
The following suspends rules and aborts packet inspection. These rules were used to generate the sample output that follows.
config ppm: \
max-pkt-time 50, fastpath-expensive-packets, \
pkt-log, debug-pkt
config ppm: \
max-rule-time 50, threshold 5, suspend-expensive-rules, \
suspend-timeout 300, rule-log log alert