Snort mailing list archives
Re: Snort getting overloaded by http traffic:
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Jun 2002 13:55:10 +1200
On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote:
The amount of traffic that Snort is able to inspect has less to do with Snort and almost everything to do with the underlying operating system, IP stack, and (most importantly) available resources. If the operating system is short of resources (specifically RAM), then packets are going to be dropped by the kernel due to lack of buffer space and general congestion. As such, they will never be presented to Snort for inspection.
[mutter, mutter Microsoft - how about some word wrapping!!!] Anyway, this comment about RAM - is that actually true? I mean, there's a few areas where snort needs to swallow *some* RAM - to track state, etc - but other than that it's not a big requirement.... The reason I ask is that I'm running snort under daemontools as a supervised script, and one thing I've done is to tell it it can't grow above 20M as that indicates a memory leak. So far snort appears to hang around 10M - so I feel happy with that. Does snort ever need to grow to > 20Meg??? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- <Possible follow-ups>
- RE: Snort getting overloaded by http traffic: McCammon, Keith (Jun 25)
- Re: Snort getting overloaded by http traffic: hackerwacker (Jun 25)
- Re: Snort getting overloaded by http traffic: Jason Haar (Jun 25)
- Re: Snort getting overloaded by http traffic: Imran William Smith (Jun 25)
- RE: Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- RE: Snort getting overloaded by http traffic: Matt Kettler (Jun 25)
- RE: Snort getting overloaded by http traffic: larosa, vjay (Jun 26)