Snort mailing list archives
Re: Stream4 behavior
From: Joel Esler <joel.esler () sourcefire com>
Date: Mon, 27 Mar 2006 17:05:28 -0500
You say you went from 200 to about 3000? What changed? Please provide more info if you could, we'd be glad to help.
J On Mar 27, 2006, at 4:24 PM, sekure wrote:
Question: I went from seeing around 200 stream flushes per second to about 3000. Needless to say CPU spiked to 100% and snort is dropping upwards of 60% of packets. I tried increasing the stream4 memcap from defaul 8MB to 128 MB with no improvement in performance. This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing with ~80-90Mbps on an average basis. Here is my relevant config: preprocessor stream4: disable_evasion_alerts, detect_scans, memcap 134217728, timeout 60 preprocessor stream4_reassemble: bothWhile i hunt down the source of the problem, can someone answer my questions:Other than the stream timing out based on the timeout value, what else would cause a stream to be flushed? What can I do to enable snort to cope better with this? -------------------------------------------------------This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory!http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior Joel Esler (Mar 27)
- Re: Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior sekure (Mar 28)
- Re: Stream4 behavior Lorine Ruotolo (Mar 28)
- Re: Stream4 behavior Jason Brvenik (Mar 28)
- Re: Stream4 behavior Matthew Watchinski (Mar 28)
- Re: Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior Joel Esler (Mar 27)