Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VRT stream5 Preprocessor Config vs Default Settings

From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 29 Apr 2011 10:33:29 -0400
On Fri, Apr 29, 2011 at 10:28 AM, Matt Watchinski <
mwatchinski () sourcefire com> wrote:


Stream5's config parser is pretty loose, so commas or spaces are ok
and can be interchanged.  This is inconsistent though in my opinion,
so I'll reformat it for the ,\ per line as suggest below so its easier
to read in 2.9.0.5 conf file for the next rule package we release.



FYI - we have a bug targeted for the 2.9.1 release that tightens up
stream5's comma related parsing.  In some cases, if a comma doesn't separate
keywords, the latter keyword is ignored.



As for the max_tcp number, being set to 8192, the CVS comments for
when this was set in the 2861 conf is that it is for memory allocation
reasons in stream5, as it pre-allocates memory per stream tracked.
Since the default is higher number, i'll up date it to reflect that
default in the 2905.conf

Thanks for the feedback.

Cheers,
-matt



On Thu, Apr 28, 2011 at 5:20 PM, Eoin Miller
<eoin.miller () trojanedbinaries com> wrote:

VRT supplied snort.conf file that comes with 2.9.0.4 as of today contains
this line:

---snip---
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no max_active_responses 2 min_response_seconds 5
^ ^
|---missing commas?----|
---snip---

I guess it still loads it with these options? If not it should look like
(separated by line to make easier to read in the email threads):

preprocessor stream5_global: max_tcp 8192,\
track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Some of those settings are even less than what is turned on by default
though it would appear. max_tcp is set to 8192 in the VRT conf as shown
above, however the 2.9.0.5 manual states:
--snip--
max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked. The
default is ”262144”, maximum is ”1048576”, minimum is ”1”.
--snip--

What else is weird is that max_udp is missing in the config and therefor

the

default value of 131072 would kick in, so the VRT config has you tracking

a

lot more UDP sessions that TCP sessions with stream5. From the 2.9.0.5
manual:
--snip--
max_udp <num sessions> || Maximum simultaneous UDP sessions tracked. The
default is ”131072”, maximum is ”1048576”, minimum is ”1”.
--snip--

Not sure if this is by design or just an artifact from the previous
snort.conf's where this has been set to this value forever in recent

memory.

Value does seem pretty low however.


I guess something more like:

preprocessor stream5_global: track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Or:

preprocessor stream5_global: track_tcp yes,\
max_tcp 262144,\
track_udp yes,\
max_udp 131072,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Thought this might be worthy of review/consideration for others.

-- Eoin







--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: