stream4 configuration - high bandwidth

[Gentoo-Wally <gentoowally () gmail com>]

Most of my sensor deployments have been in relatively low bandwidth
environments. I have recently deployed a sensor (snort 2.4.5) in an
area that sees between 100 Mb/s - 250 Mb/s. This sensor will be
monitoring an up link port behind which sits 100 servers (mix of
win2k, win2k3, linux and solaris). So I'm obviously looking to tune my
preprocessors to the best of my ability. I've been pouring over snort
doc's (doesn't appear to be a README for stream4 in the doc's dir BTW)
and googling 'til my fingers bleed but I still have some questions,
specifically regarding stream4.

How can I determine what values I should use for the following...

max_sessions
server_inspect_limit
memcap

I guess what I need to know is what type of bandwidth usage are the
defaults targeted for? Are the defaults over/under kill for a sensor
seeing 100-250 Mb/s? What type of data should I collect (from snort or
network gear) to help me identify the right values for my environment?
I've never seen any numbers for streams on my network gear, only
flows.

If anyone has any non stream4 advice or 'Watch out for.."'s for a
sensor watching this level of traffic...I'm all ears.

Thx for the help,

Wally

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users