Snort mailing list archives

Re: VRT stream5 Preprocessor Config vs Default Settings

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 17 May 2011 18:00:56 +0000

On 4/28/2011 9:20 PM, Eoin Miller wrote:

VRT supplied snort.conf file that comes with 2.9.0.4 as of today 
contains this line:

---snip---
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp 
yes, track_icmp no max_active_responses 2 min_response_seconds 5
^ ^
|---missing commas?----|
---snip---

I guess it still loads it with these options? If not it should look 
like (separated by line to make easier to read in the email threads):

preprocessor stream5_global: max_tcp 8192,\
track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Some of those settings are even less than what is turned on by default 
though it would appear. max_tcp is set to 8192 in the VRT conf as 
shown above, however the 2.9.0.5 manual states:
--snip--
max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked. 
The default is ”262144”, maximum is ”1048576”, minimum is ”1”.
--snip--

What else is weird is that max_udp is missing in the config and 
therefor the default value of 131072 would kick in, so the VRT config 
has you tracking a lot more UDP sessions that TCP sessions with 
stream5. From the 2.9.0.5 manual:
--snip--
max_udp <num sessions> || Maximum simultaneous UDP sessions tracked. 
The default is ”131072”, maximum is ”1048576”, minimum is ”1”.
--snip--

Not sure if this is by design or just an artifact from the previous 
snort.conf's where this has been set to this value forever in recent 
memory. Value does seem pretty low however.


I guess something more like:

preprocessor stream5_global: track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Or:

preprocessor stream5_global: track_tcp yes,\
max_tcp 262144,\
track_udp yes,\
max_udp 131072,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Thought this might be worthy of review/consideration for others.

-- Eoin


Noticed after updating this to use the default settings for the max_tcp, 
the Snort process generates tons of alerts about pruning 5 sessions at a 
time due to memcap limitations. If you up the number of sessions tracked 
from 8192 to the default 262144, you need to increase memcap from the 
default 8MB. I tried tripling it and it seems to be working ok. I put 
this in my stream5_global variable list:

memcap 33554432

-- Eoin

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (Apr 28)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (Apr 28)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
    - Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
- Re: VRT stream5 Preprocessor Config vs Default Settings Matt Watchinski (Apr 29)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Russ Combs (Apr 29)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Steven Sturges (May 01)
- Re: VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (May 17)