Re: Snort behaviour graphic.

[Chris Green <cmg () sourcefire com>]

Emilio Mira <emial () alumni uv es> writes:

> Hi all,
>
> I've been doing tests with Snort and I got the graphic attached. We can
> see traffic received in packets per second with blue line, Snort droped
> pps with green line and Snort total VM size in kilobytes. X axe represents
> time in hours (a little more than one week).
>
> First, why droped packets are so different in between days with similar
> traffic? (I get droped packets with a script that compares received
> packets from the interface with Snort processed packets, from kill
> -USR1).
>
> Second, why Snort vsize is like this?. I thought it bears relation to 
> traffic received, but it doesn't.

What are your stream4 and frag2 configurations?   How many hosts are
you seeing on your network? Any idea on the type of traffic?

You might try running your statistics with a higher memcap.  I
wouldn't be suprised if those times are when you are hitting a forced
session prune.
-- 
Chris Green <cmg () sourcefire com>
To err is human, to moo bovine.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users