Snort mailing list archives
Re: Getting tuned finally!
From: Jason Brvenik <jasonb () sourcefire com>
Date: Wed, 11 Mar 2009 17:21:46 -0400
Tuning it by increasing memcap is appropriate. That the max sessions and open session always match could indicate a lack of memory still but more likely indicates that you are not getting the full session. Check to make sure you are getting the full three way handshake and session tear down. On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
So I think I’m finally getting my snort sensor tuned so that I am achieving a balance between resources (not dropping any packets according to snorts.stats) and having some of the EmergingThreats rulesets enabled. I do have some questions about the stream5 preprocessor though. I noticed that I was getting “faults” occasionally, and subsequent messages in the daemon.log about pruning sessions, so I increased the memcap limit until these went away. Is this a “correct” action to take? Also, I noticed that my Open Sessions stats show open sessions to pretty much always be equal to max sessions, which is set at 8192. Should I be increasing this, or is that normal behaviour? Thanks, Shawn ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Getting tuned finally! Jefferson, Shawn (Mar 11)
- Re: Getting tuned finally! Joel Esler (Mar 11)
- Re: Getting tuned finally! Jefferson, Shawn (Mar 11)
- Re: Getting tuned finally! Joel Esler (Mar 11)
- Re: Getting tuned finally! Jefferson, Shawn (Mar 11)
- Re: Getting tuned finally! Joel Esler (Mar 11)
- Re: Getting tuned finally! Jason Brvenik (Mar 11)
- Re: Getting tuned finally! Joel Esler (Mar 11)
- Re: Getting tuned finally! Jason Wallace (Mar 17)
- Re: Getting tuned finally! Jefferson, Shawn (Mar 11)
- Re: Getting tuned finally! Joel Esler (Mar 11)