Re: controlling open sessions

[Jason Wallace <jason.r.wallace () gmail com>]

Larry,

What does your session graph actually look like? Does the open/active
session line continually grow, or does it actually come down once and
a while. I ask because we had a similar issue a couple of years a go
where the open/active line would continue to go up until it reached
the max session line and then it would stay even with the max session
line and never dip down lower no matter how high we set the max
sessions.

What we found was that we had load balancers and a service monitoring
tool that were not properly closing the sessions they opened when
testing the availability of the service they were
servicing/monitoring. We added the addresses of the load balancers and
monitoring system to our BPF and have not had an issue with too many
open sessions since then.


Wally

On Fri, Jan 7, 2011 at 5:19 PM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:
> Russ,
>
> We have been trying to decide the best method of selecting direction
> (client/server/ports), is there some kind of rule of thumb so we don't get
> attacked and snort misses it?
>
> That was a very good reply, and an area we been staying away from, which
> could be where our problem is.
>
> Thanks,
> Larry
>
>
>
> ----- Original Message -----
> From: Russ Combs
> To: Lawrence R. Hughes, Sr.
> Cc: snort-users () lists sourceforge net
> Sent: Friday, January 07, 2011 4:55 PM
> Subject: Re: [Snort-users] controlling open sessions
>
>
> On Fri, Jan 7, 2011 at 2:32 PM, Lawrence R. Hughes, Sr.
> <lhughes () safemedia com> wrote:
> > Russ,
> >
> > The open sessions are active.
>
> Then it seems that what you really have is a general tuning issue.  The more
> sessions, the more work Snort is doing, and at some point, your sensor gets
> overloaded and you get dropped packets.
>
> Focusing specifically on sessions, stream5 has some settings you can tweak
> to limit what it does.  Watch out for stream5_global max_tcp and memcap and
> stream5_tcp - those are pretty broad in scope and affect any and all tcp
> traffic.  The effect may not be what you expect either; reducing max_tcp and
> memcap would likely lead to more session thrashing within Snort resulting in
> less efficient use of CPU and reduced detection.
>
> It would be better to look at the stream5_tcp ports and directions and try
> to limit what is inspected that way.  If you have an attribute table that
> comes into play as well.
>
> It also makes sense to look at things like rule tuning.  Are you just
> starting to tune or is this more of a stop-gap measure or what?
>
> > Thanks,
> > Larry
> >
> > ----- Original Message -----
> > From: Russ Combs
> > To: Lawrence R. Hughes, Sr.
> > Cc: snort-users () lists sourceforge net
> > Sent: Friday, January 07, 2011 2:25 PM
> > Subject: Re: [Snort-users] controlling open sessions
> >
> >
> > On Fri, Jan 7, 2011 at 2:22 PM, Lawrence R. Hughes, Sr.
> > <lhughes () safemedia com> wrote:
> > > Russ,
> > >
> > > We are viewing the graphs from pmgraph and notice that as open sessions
> > > increase, so do the dropped packets.
> > > We are trying to tune our system to limit the dropped packets.
> >
> > So are the open sessions inactive or are you just referring to the total
> > number of sessions tracked by Snort at any one time?
> > > Thanks,
> > > Larry
> > >
> > >
> > > ----- Original Message -----
> > > From: Russ Combs
> > > To: Lawrence R. Hughes, Sr.
> > > Cc: snort-users () lists sourceforge net
> > > Sent: Friday, January 07, 2011 1:53 PM
> > > Subject: Re: [Snort-users] controlling open sessions
> > >
> > >
> > > On Fri, Jan 7, 2011 at 12:37 PM, Lawrence R. Hughes, Sr.
> > > <lhughes () safemedia com> wrote:
> > > > Hi,
> > > >
> > > > We have too many open sessions for 2.8.6.1, is there a way to controll
> > > > them via snort.conf?
> > >
> > > Can you clarify what you mean by open sessions and how you might control
> > > them?
> > >
> > > Is it so many that Snort is pruning sessions or is the issue that you
> > > have hosts running out of ports or what?
> > >
> > > > Here is a snippet of our stream5 config (notice the aggressive pruning
> > > > we are doing):
> > > >
> > > >
> > > > # Target-Based stateful inspection/stream reassembly. For more
> > > > inforation, see README.stream5
> > > >
> > > > preprocessor stream5_global: memcap 1073741824, max_tcp 1048576,
> > > > track_tcp yes, max_udp 131072, track_udp yes, track_icmp no, flush_on_alert
> > > > yes
> > > >
> > > > preprocessor stream5_tcp: policy linux, use_static_footprint_sizes,
> > > > max_queued_bytes 4194304, max_queued_segs 5242, \
> > > >
> > > > # overlap_limit 4, small_segments 3 bytes 150, \
> > > >
> > > > timeout 30, dont_store_large_packets, dont_reassemble_async,
> > > > require_3whs 5, \
> > > >
> > > > ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139
> > > > 143 \
> > > >
> > > > 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669
> > > > \
> > > >
> > > > 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
> > > >
> > > > ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995 1220
> > > > 1414 2301 2381 2809 3128 3702 6907 7702 7777 7779 \
> > > >
> > > > 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913
> > > > 7914 7915 7916 \
> > > >
> > > > 7917 7918 7919 7920 8000 8008 8028 8080 8118 8123 8180 8243 8280 8888
> > > > 9443 9999 11371
> > > >
> > > > preprocessor stream5_udp: timeout 30
> > > >
> > > > Thanks,
> > > >
> > > > Larry
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Gaining the trust of online customers is vital for the success of any
> > > > company
> > > > that requires sensitive data to be transmitted over the Web.   Learn how
> > > > to
> > > > best implement a security strategy that keeps consumers' information
> > > > secure
> > > > and instills the confidence they need to proceed with transactions.
> > > > http://p.sf.net/sfu/oracle-sfdevnl
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Gaining the trust of online customers is vital for the success of any
> company
> that requires sensitive data to be transmitted over the Web.   Learn how to
> best implement a security strategy that keeps consumers' information secure
> and instills the confidence they need to proceed with transactions.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users