Re: Snort getting overloaded by http traffic:

[Jason Haar <Jason.Haar () trimble co nz>]

On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote:
> The amount of traffic that Snort is able to inspect has less to do with
> Snort and almost everything to do with the underlying operating system, IP
> stack, and (most importantly) available resources.  If the operating system
> is short of resources (specifically RAM), then packets are going to be
> dropped by the kernel due to lack of buffer space and general congestion.
> As such, they will never be presented to Snort for inspection.

[mutter, mutter Microsoft - how about some word wrapping!!!]

Anyway, this comment about RAM - is that actually true? I mean, there's a
few areas where snort needs to swallow *some* RAM - to track state, etc -
but other than that it's not a big requirement....

The reason I ask is that I'm running snort under daemontools as a supervised
script, and one thing I've done is to tell it it can't grow above 20M as
that indicates a memory leak. So far snort appears to hang around 10M - so I
feel happy with that.

Does snort ever need to grow to > 20Meg???

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users