Re: Snort behaviour graphic.

[Emilio Mira <emial () alumni uv es>]

Hi Chris,

My stream4 and frag2 configurations are by default in 1.8.7:

preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor frag2

There are about 10,000 hosts in my network, and the kind of traffic ... 
ummm ... I'm monitorizing an University, so HTTP, FTP, p2p I think.

And, what did you mean with "I wouldn't be suprised if those times are
when you are hitting a forced session prune."

Thanks.

On Wed, 10 Jul 2002, Chris Green wrote:

> Emilio Mira <emial () alumni uv es> writes:
>
> > Hi all,
> >
> > I've been doing tests with Snort and I got the graphic attached. We can
> > see traffic received in packets per second with blue line, Snort droped
> > pps with green line and Snort total VM size in kilobytes. X axe represents
> > time in hours (a little more than one week).
> >
> > First, why droped packets are so different in between days with similar
> > traffic? (I get droped packets with a script that compares received
> > packets from the interface with Snort processed packets, from kill
> > -USR1).
> >
> > Second, why Snort vsize is like this?. I thought it bears relation to 
> > traffic received, but it doesn't.
>
> What are your stream4 and frag2 configurations?   How many hosts are
> you seeing on your network? Any idea on the type of traffic?
>
> You might try running your statistics with a higher memcap.  I
> wouldn't be suprised if those times are when you are hitting a forced
> session prune.





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users