Re: snort + freebsd tuning

[Nigel Houghton <nigel () sourcefire com>]

Sorry, I forgot to mention, libpcap overrides the default value of 4k. Not
exactly the same as changing the sysctl value, but I guess you could say
Snort changes it indirectly by virtue of using libpcap.

Also check out sysctl debug.bpf_maxbufsize and see what that value is.

Off to take my penalty drink now.

Around 7:09am I said:

NH :
NH :Around Yesterday John said:
NH :J: I was just wondering if someone could tell me what this is for.
NH :J: sysctl debug.bpf_bufsize (default it 4k)
NH :J: does snort override this value, and if not should i be increasing it?
NH :
NH :This is the buffer size for bpf. 4k is pretty small, you could increase it
NH :to a value you might be more comfortable with, say 512 K or 1 Meg if you
NH :have the resources.
NH :
NH : sysctl debug.bpf_bufsize=<insert your value here>
NH :
NH :You could also pu debug.bpf_bufsize=<value> in /etc/sysctl.conf so you
NH :keep it whenever you reboot.
NH :
NH :No, I don't believe Snort increases debug.bpf_bufsize.
NH :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users