Snort mailing list archives

Re: VRT stream5 Preprocessor Config vs Default Settings

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 20 May 2011 13:59:05 -0400

Eoin,

We updated the 2.9.0.5 .conf several weeks ago.  These are the defaults that are in it now:

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

J

On Apr 28, 2011, at 9:31 PM, Joel Esler wrote:

We've taken this for action on our side. Thanks Eoin. 

-- 
Sent from my iPad
Please excuse the brevity

On Apr 28, 2011, at 5:20 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:

VRT supplied snort.conf file that comes with 2.9.0.4 as of today contains this line:

---snip---
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 
min_response_seconds 5
^ ^
|---missing commas?----|
---snip---

I guess it still loads it with these options? If not it should look like (separated by line to make easier to read 
in the email threads):

preprocessor stream5_global: max_tcp 8192,\
track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Some of those settings are even less than what is turned on by default though it would appear. max_tcp is set to 
8192 in the VRT conf as shown above, however the 2.9.0.5 manual states:
--snip--
max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked. The default is ”262144”, maximum is ”1048576”, 
minimum is ”1”.
--snip--

What else is weird is that max_udp is missing in the config and therefor the default value of 131072 would kick in, 
so the VRT config has you tracking a lot more UDP sessions that TCP sessions with stream5. From the 2.9.0.5 manual:
--snip--
max_udp <num sessions> || Maximum simultaneous UDP sessions tracked. The default is ”131072”, maximum is ”1048576”, 
minimum is ”1”.
--snip--

Not sure if this is by design or just an artifact from the previous snort.conf's where this has been set to this 
value forever in recent memory. Value does seem pretty low however.


I guess something more like:

preprocessor stream5_global: track_tcp yes,\
track_udp yes,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Or:

preprocessor stream5_global: track_tcp yes,\
max_tcp 262144,\
track_udp yes,\
max_udp 131072,\
track_icmp no,\
max_active_responses 2,\
min_response_seconds 5

Thought this might be worthy of review/consideration for others.

-- Eoin



------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (Apr 28)
- Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (Apr 28)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
    - Re: VRT stream5 Preprocessor Config vs Default Settings Joel Esler (May 20)
- Re: VRT stream5 Preprocessor Config vs Default Settings Matt Watchinski (Apr 29)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Russ Combs (Apr 29)
  - Re: VRT stream5 Preprocessor Config vs Default Settings Steven Sturges (May 01)
- Re: VRT stream5 Preprocessor Config vs Default Settings Eoin Miller (May 17)