Performance settings

Pattern Matching Limits

• Maximum Pattern States to Analyze Per Packet—The maximum number of events to queue. The default is 5.

• Disable Content Checks on Traffic Subject to Future Reassembly—Whether to detect TCP payload before reassembly. It includes inspection of packets before and after stream reassembly. This process requires more processing overhead and may decrease performance. If the option is not selected, the TCP payload is detected after reassembly. The default is off.

Performance Statistics

When the number of seconds specified elapses between performance statistics updates, the system verifies it has analyzed the specified number of packets. If it has, the system updates performance statistics. Otherwise, the system waits until it analyzes the specified number of packets.

• Sample time (seconds)—The time range for taking a performance sample. The default is 300 seconds.

  Configuring a very low value (for example, 1 second) for the sample time can cause a huge impact on the device; the performance statistics logged on the device can cause disk space issues and affect the operation of the device. Hence, we recommend you do not configure a very low value.

• Minimum number of packets—How many packets to consider the minimum for a valid performance statistic. The default is 0.

• Troubleshooting Options:

  • Log Session/Protocol Distribution—Support might ask you during a troubleshooting call to enable this option to configure the system to calculate the performance statistics only when the Snort process is shut down or restarted.

  • Summary—Enable this option only if instructed by Cisco Technical Support.

Regular Expression Limits

The default Perl compatible regular expression (PCRE) limits ensure a minimum level of performance. Overriding these limits could increase security but could also significantly impact performance by permitting packet evaluation against inefficient regular expressions.

• Match Limit State—The limit for matching regular expressions. You can select Default Value, which is 3500, Unlimited, or Custom. If you select custom, specify the number of times to attempt to match a pattern defined in a PCRE regular expression in Match Limit. Specify 0 to completely disable PCRE match evaluations.

• Match Recursion Limit State—The limit for matching regular expression recursions. You can select Default Value, which is 3500, Unlimited, or Custom. If you select custom, specify the number of recursions when evaluating a PCRE regular expression against the packet payload in Match Recursion Limit. Specify 0 to completely disable PCRE recursions.

  Note	For a custom match recursion limit to be meaningful, it must be smaller than the match limit.

Intrusion Event Logging Limits

When the intrusion rules engine evaluates traffic against rules, it places the events generated for a given packet or packet stream in an event queue, then reports the top events in the queue to the user interface. When configuring the intrusion event logging limits, you can specify how many events can be placed in the queue and how many are logged, and select the criteria for determining event order within the queue.

• Maximum Events Stored Per Packet—The maximum number of events that can be stored for a given packet or packet stream. The default is 8.

• Maximum Events Logged Per Packet—The number of events logged for a given packet or packet stream. This cannot exceed the Maximum Events Stored Per Packet value. The default is 5.

• Prioritize Events Logging By—The value used to determine event ordering within the event queue. The highest ordered event is reported through the user interface. You can select:

  • Content Length (the default), which orders events by the longest identified content match. When events are ordered by content length, rule events always take precedence over decoder and preprocessor events.

  • Priority, which orders events in the queue by the event priority.