Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream4 behavior

From: "Lorine Ruotolo" <lori.ruotolo () hotmail com>
Date: Tue, 28 Mar 2006 12:20:21 -0600
I usually take a number of small packet captures to get a footprint of the network and figure out what to disable and look for.
Then, I do things like disable the reassembly of any encryption or tunnel protocols since they are usually the most common to fragment while still being acceptable traffic. 



From: sekure <sekure () gmail com>
To: "Joel Esler" <joel.esler () sourcefire com>
CC: "Snort Users" <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Stream4 behavior
Date: Tue, 28 Mar 2006 11:50:11 -0500

Joel, snorters

Any ideas?  Whatever was happening has subsided, and i am back to
about 200 stream flushes/second and around 10K packets/sec.  But i
went looking through my perfmonitor graphs and i see short spikes in
packets/sec, tied to spikes in stream flushes/second tied to cpu
utilization nearing 100% and packets dropped all over the floor.
Seems that nothing i do with stream4 parameters helps.

Do you have any suggestions for me to try?  Is there any guidance for
configuring stream4 preprocessor, other than what's in the
documentation?

On 3/27/06, sekure <sekure () gmail com> wrote:
> Joel,
>
> I'd love to know myself.  Nothing changed snort configuration-wise in
> snort.  My guess is someone started doing something funky on the
> network.  I can't put my finger on it.  I see a lot of netbios traffic
> with iptraf, so perhaps someone is copying tons of stuff, though i
> have no idea what they'd be copying for the past 6 hours.
>
> BTW, the packets/second count also went up from about 8K to 20K at the
> same time.
>
> I RTFM'ed and tried playing around with some of the new stream4
> parameters.  Currently i have it configured like so:
> preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
> 67108864, self_preservation_threshold 3500, suspend_threshold 5000,
> max_sessions 65536, timeout 20
>
> No change, still dropping packets like crazy. Running Snort Version 2.4.2 
>
> I'd appreciate any help.
>
> On 3/27/06, Joel Esler <joel.esler () sourcefire com> wrote:
> > You say you went from 200 to about 3000?  What changed?  Please
> > provide more info if you could, we'd be glad to help.
> >
> > J
> >
> > On Mar 27, 2006, at 4:24 PM, sekure wrote:
> >
> > > Question:
> > >
> > > I went from seeing around 200 stream flushes per second to about 3000. 
> > >  Needless to say CPU spiked to 100% and snort is dropping upwards of
> > > 60% of packets.
> > >
> > > I tried increasing the stream4 memcap from defaul 8MB to 128 MB with
> > > no improvement in performance.
> > >
> > > This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing
> > > with ~80-90Mbps on an average basis.
> > >
> > > Here is my relevant config:
> > > preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
> > > 134217728, timeout 60
> > > preprocessor stream4_reassemble: both
> > >
> > > While i hunt down the source of the problem, can someone answer my
> > > questions:
> > >
> > > Other than the stream timing out based on the timeout value, what else 
> > > would cause a stream to be flushed?
> > > What can I do to enable snort to cope better with this?
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> > > language
> > > that extends applications into web and mobile media. Attend the
> > > live webcast
> > > and join the prime developer group breaking into this new coding
> > > territory!
> > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
>


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast 
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ 



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: