Limiting Pattern Matching for Intrusions

Procedure

Step 1

In the access control policy editor, click Advanced (Policies > Access Control > Edit > More > Advanced Settings).

In the new UI, select Advanced Settings from the drop-down arrow at the end of the packet flow line.

Step 2

Click Edit ( edit icon ) next to Performance Settings.

If View ( View button ) appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings. If the configuration is unlocked, uncheck Inherit from base policy to enable editing.

Step 3

Click Pattern Matching Limits in the Performance Settings pop-up window.

Step 4

Enter a value for the maximum number of events to queue in the Maximum Pattern States to Analyze Per Packet field.

Step 5

To disable the inspection of packets that will be rebuilt into larger streams of data before and after stream reassembly in Snort 2, check the Disable Content Checks on Traffic Subject to Future Reassembly check box. Inspection before and after reassembly requires more processing overhead and may decrease performance.

Important

In Snort 3, the Disable Content Checks on Traffic Subject to Future Reassembly check box settings are:

Checked—Indicates detecting TCP payload before reassembly. It includes inspection of packets before and after stream reassembly. This process requires more processing overhead and may decrease performance.
Unchecked—Indicates detecting TCP payload after reassembly.

Step 6

Click OK.

Step 7

Click Save to save the policy.

What to do next

Deploy configuration changes.