Latency-Based Performance Settings

Each access control policy has latency-based settings that use thresholding to manage packet and rule processing performance.

These settings apply to Snort and are relevant only if you apply intrusion policies in rules or as the default action. By default, latency-based performance settings for both packet and rule handling are automatically populated by the latest deployed intrusion rule update, and we recommend that you do not change the default. Change these settings only if you are a Snort intrusion rule expert, or at the direction of Cisco Technical Support.

The latency settings that are applied depend on the security level of the network analysis policy (NAP) associated with the access control policy. Generally, this is the default NAP policy. However, if custom network analysis rules are configured, and if any of these specify a NAP policy that is more secure than the default NAP policy, then latency settings are based on the most secure NAP policy among the custom rules. If the default NAP policy or any custom rules invoke a custom NAP policy, then the security level used in the evaluation is the system-provided base policy on which each custom NAP policy is based.

The above is true regardless of whether the effective threshold and/or network analysis configurations are inherited or configured directly in the policy.

Use the following settings to tune the latency-based performance of your system.

  • Apply Settings From—Whether to apply latency-based performance settings from an Installed Rule Update, the default, or from your Custom settings.

  • Packet Handling—Packet latency thresholding measures the total elapsed time taken to process a packet by applicable decoders, preprocessors, and rules, and ceases inspection of the packet if the processing time exceeds a configurable threshold. By default, the latency-based performance setting for packet handling is disabled. You may choose to enable it. However, Cisco recommends that you do not change the default value for the threshold setting. Select Enabled to turn it on. If you selected Custom, also enter the Threshold time in microseconds for when inspection of a packet should cease. The default is 256.

  • Rule Handling—Rule latency thresholding measures the elapsed time each rule takes to process an individual packet, suspends the violating rule along with a group of related rules for a specified time if the processing time exceeds the rule latency threshold a configurable consecutive number of times, and restores the rules when the suspension expires. You can configure these options only if you select Custom.

    • Enabled—This option is selected automatically if you select custom. If you do not want use this feature, deselect the option. All other settings on this tab require the feature to be enabled.

    • Threshold (microseconds)—Specifies the time in microseconds that rules should not exceed when examining a packet. The default is 512.

    • Consecutive Threshold Violations Before Suspending Rule—Specifies the consecutive number of times rules can take longer than the time set for threshold to inspect packets before rules are suspended. The default is 3.

    • Suspension Time—How long a suspended rule should be suspended. The default is 10.