Snort mailing list archives
Re: VRT stream5 Preprocessor Config vs Default Settings
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Tue, 17 May 2011 18:00:56 +0000
On 4/28/2011 9:20 PM, Eoin Miller wrote:
VRT supplied snort.conf file that comes with 2.9.0.4 as of today contains this line: ---snip--- preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5 ^ ^ |---missing commas?----| ---snip--- I guess it still loads it with these options? If not it should look like (separated by line to make easier to read in the email threads): preprocessor stream5_global: max_tcp 8192,\ track_tcp yes,\ track_udp yes,\ track_icmp no,\ max_active_responses 2,\ min_response_seconds 5 Some of those settings are even less than what is turned on by default though it would appear. max_tcp is set to 8192 in the VRT conf as shown above, however the 2.9.0.5 manual states: --snip-- max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked. The default is ”262144”, maximum is ”1048576”, minimum is ”1”. --snip-- What else is weird is that max_udp is missing in the config and therefor the default value of 131072 would kick in, so the VRT config has you tracking a lot more UDP sessions that TCP sessions with stream5. From the 2.9.0.5 manual: --snip-- max_udp <num sessions> || Maximum simultaneous UDP sessions tracked. The default is ”131072”, maximum is ”1048576”, minimum is ”1”. --snip-- Not sure if this is by design or just an artifact from the previous snort.conf's where this has been set to this value forever in recent memory. Value does seem pretty low however. I guess something more like: preprocessor stream5_global: track_tcp yes,\ track_udp yes,\ track_icmp no,\ max_active_responses 2,\ min_response_seconds 5 Or: preprocessor stream5_global: track_tcp yes,\ max_tcp 262144,\ track_udp yes,\ max_udp 131072,\ track_icmp no,\ max_active_responses 2,\ min_response_seconds 5 Thought this might be worthy of review/consideration for others. -- Eoin
Noticed after updating this to use the default settings for the max_tcp, the Snort process generates tons of alerts about pruning 5 sessions at a time due to memcap limitations. If you up the number of sessions tracked from 8192 to the default 262144, you need to increase memcap from the default 8MB. I tried tripling it and it seems to be working ok. I put this in my stream5_global variable list: memcap 33554432 -- Eoin ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (Apr 28)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (Apr 28)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
- Re: VRT stream5 Preprocessor Config vs Default Settings Matt Watchinski (Apr 29)
- Re: VRT stream5 Preprocessor Config vs Default Settings Russ Combs (Apr 29)
- Re: VRT stream5 Preprocessor Config vs Default Settings Steven Sturges (May 01)
- Re: VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (May 17)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (Apr 28)