Re: stream4 memory questions.

[Vjay LaRosa <vjayl () emc com>]

Hi Marty,

I understand that both of frag2 and stream4 are seperate memory pools, but what
I was
wondering is what is the maximum size I can set these variables.

vjl



Martin Roesch wrote:

> On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl () emc com> wrote:
>
> > Hello,
> >
> > I have two questions...
> >
> > 1)
> >
> > Can some one tell me if there is a memory cap for the preprocessors
> > frag2 and streams4? I want to make sure that each snort process on my
> > server
> > has MORE than enough memory than it needs (6 GB in the server!).
> >
> > Currently I can see one process uses up to 147 MB of memory,
> >
> > 14967 root       1  40    0   27M   27M run   303:39 17.82% snort
> > 14972 root       1  31    0  147M  147M sleep 235:55 14.28% snort <----
> > 14962 root       1  52    0   18M   18M sleep 244:12  8.59% snort
> >
> > These are my snort.conf settings.
> >
> > preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
> > preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
>
> There are *separate* memcaps for stream4 and frag2, they each have their own
> memory pools and memory managers.  If you want to limit it to a total of
> 128M you need to make it 64MB and 64MB respectively.
>
> > 2)
> > Could some one explain the following lines of output to me? They are
> > from a kill -USR1 to a snort process.
> >
> > Stream Trackers
>
> Number of sessions that had trackers (session data structs) setup for them.
>
> > Stream Flushes
>
> Number of times the stream flush function was called.  BTW, does anyone have
> any recommendations for deciding when to flush the streams?  The current
> setup is pretty naïve, it flushes if there are more than 2 packets with 128
> bytes or more data stored for the stream.  This method pretty much sucks, so
> I'm open to suggestions.  We  want to model the behavior of the target host
> as closely as possible...
>
> > Segments used
>
> This is the number of segments that have been combined during stream
> flushes.
>
> > Stream4 Memory faults
>
> This is the number of times the memcap was hit and stream4 had to take
> extended measures (flushing old segments first, if that fails flushing 5
> random stream trackers at the leaf nodes in the splay tree the trackers are
> stored in and all their associated segments).  If this number is large you
> should think about increasing your memcap for stream4.
>
> BTW, with ~8MB of RAM you should be able to store approximately 32000
> simultaneous sessions in the average case in RAM.  If you don't do stream
> reassembly (stateful inspection only) you should be able to store ~64000
> sessions.
>
>      -Marty
>
> --
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch () sourcefire com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users