Snort mailing list archives
Re: stream4 memory questions.
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 14 Mar 2002 15:00:49 -0500
On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl () emc com> wrote:
Hello, I have two questions... 1) Can some one tell me if there is a memory cap for the preprocessors frag2 and streams4? I want to make sure that each snort process on my server has MORE than enough memory than it needs (6 GB in the server!). Currently I can see one process uses up to 147 MB of memory, 14967 root 1 40 0 27M 27M run 303:39 17.82% snort 14972 root 1 31 0 147M 147M sleep 235:55 14.28% snort <---- 14962 root 1 52 0 18M 18M sleep 244:12 8.59% snort These are my snort.conf settings. preprocessor frag2: memcap 134217728, timeout 60 # 128 MB preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
There are *separate* memcaps for stream4 and frag2, they each have their own memory pools and memory managers. If you want to limit it to a total of 128M you need to make it 64MB and 64MB respectively.
2) Could some one explain the following lines of output to me? They are from a kill -USR1 to a snort process. Stream Trackers
Number of sessions that had trackers (session data structs) setup for them.
Stream Flushes
Number of times the stream flush function was called. BTW, does anyone have any recommendations for deciding when to flush the streams? The current setup is pretty naïve, it flushes if there are more than 2 packets with 128 bytes or more data stored for the stream. This method pretty much sucks, so I'm open to suggestions. We want to model the behavior of the target host as closely as possible...
Segments used
This is the number of segments that have been combined during stream flushes.
Stream4 Memory faults
This is the number of times the memcap was hit and stream4 had to take extended measures (flushing old segments first, if that fails flushing 5 random stream trackers at the leaf nodes in the splay tree the trackers are stored in and all their associated segments). If this number is large you should think about increasing your memcap for stream4. BTW, with ~8MB of RAM you should be able to store approximately 32000 simultaneous sessions in the average case in RAM. If you don't do stream reassembly (stateful inspection only) you should be able to store ~64000 sessions. -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 memory questions. Vjay LaRosa (Mar 14)
- Re: stream4 memory questions. Martin Roesch (Mar 14)
- Re: stream4 memory questions. Vjay LaRosa (Mar 14)
- Re: stream4 memory questions. Martin Roesch (Mar 14)
- Re: stream4 memory questions. Vjay LaRosa (Mar 14)
- Re: stream4 memory questions. Martin Roesch (Mar 14)
- Re: stream4 memory questions. Vjay LaRosa (Mar 14)
- Re: stream4 memory questions. Martin Roesch (Mar 14)