Snort mailing list archives
Re: Snort Memcap issue
From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Wed, 23 Apr 2014 17:00:30 -0400
Wouldn’t lowering the max_tcp reduce the amount of sessions stored in memory and therefore reduce the likelihood of being able to alert on actual intrusions since more sessions will likely go unmonitored? If the memcap is maxed out, and sessions are being pruned, it seems that overall RAM would be the culprit, right? Reducing the sessions would, in a way, be manually snipping these sessions /before/ sessions are stored in memory instead of afterwards? Maybe I’m not understanding how the sessions are stored and managed though. From: Mnemonyss [mailto:mnemonyss () gmail com] Sent: Wednesday, April 23, 2014 1:52 PM To: Hui Cao (huica) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Memcap issue I have memcap set at it's max, so I lowered max_tcp and the messages stopped. Thank you! Alicia S. On Wed, Apr 23, 2014 at 12:25 PM, Hui Cao (huica) <huica () cisco com<mailto:huica () cisco com>> wrote: You need increase memcap to get rid of this. Lower max_tcp also helps. Best, Hui From: Mnemonyss <mnemonyss () gmail com<mailto:mnemonyss () gmail com>> Date: Wednesday, April 23, 2014 at 1:17 PM To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Snort Memcap issue I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of this output: Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain. memcap: 1073738736/1073741824 Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain. memcap: 1073736864/1073741824 Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain. memcap: 1073739717/1073741824 Version: Snort 2.9.6.0 Stream5 configuration: # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp no, \ track_icmp no, \ max_tcp 25600, \ memcap 1073741824, \ max_active_responses 2, \ min_response_seconds 5, \ prune_log_max 0 If I lower the max_tcp would it effectively lower the amount of sessions in memcap? Please advise, Alicia S.
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Hui Cao (huica) (Apr 23)
- Re: Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Kurzawa, Kevin (Apr 23)
- Re: Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Hui Cao (huica) (Apr 23)