[Snort-users] TCP Reassembly

Siddhartha Jain s_i_d_j at ...131...
Fri Mar 16 06:44:42 EST 2001


I am running snoret this way :-
 /usr/local/snort/bin/snort -D -de -C -i hme1 -l
 /usr/local/snort/log/snort -c /usr/local/snort/conf/snort.conf

 Siddhartha

----- Original Message -----
From: "Christopher E. Cramer" <chris.cramer at ...799...>
To: "Siddhartha Jain" <s_i_d_j at ...131...>
Cc: <snort-users at lists.sourceforge.net>

>
> If I understand you correctly, you are asking if you can optimize the
> solaris box.  The first thing to check is to see if it is an issue of
> dropping packets.  Under solaris, snort will print out packet loss
> statistics when it is gracefully killed.  If you are dropping packets then
> we could start talking about optimization.  If you aren't dropping
> packets, then it could be some screwy tcp window issue that you can't do
> much about.
>
> If we're talking optimization, then part of the optimization is how you
> are logging which depends on the flags you set when starting snort.  If
> you could tell us how you run snort, that might help.
>
> -c
>
>
>
> On Thu, 15 Mar 2001, Siddhartha Jain wrote:
>
> > I am running this on a Sparc/Solaris 2.6 box. Are there any tcp/ip
> > parameters i can tune to solve this?
> >
> > Siddhartha
> >
> > ----- Original Message -----
> > From: "Christopher E. Cramer" <chris.cramer at ...799...>
> > To: "Siddhartha Jain" <s_i_d_j at ...131...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Thursday, March 15, 2001 11:19 PM
> > Subject: Re: [Snort-users] TCP Reassembly
> >
> >
> > >
> > > It means that the TCP Reassembler may be a bit confused, probably due
to
> > > packet loss.  The reassembler allocates space in which to perform
> > > tcp reassembly.  The size of this buffer is based on the known window
size
> > > and how much data you want to keep around at any one time.  The
> > > reassembler creates packets from this buffer when it sees an ACK of
the
> > > data.  If you are experiencing packet loss, you might not see the ACK
and
> > > the data may be left in for too long.  It is also possible that the
server
> > > has changed its tcp window size causing the screw up.
> > >
> > > The quick and dirty solution is to ignore it.  The better solution is
to
> > > upgrade to the version in the CVS which handles memory differently.
> > >
> > > -Chris
> > >
> > > On Thu, 15 Mar 2001, Siddhartha Jain wrote:
> > >
> > > > Hi,
> > > >
> > > > I get the following logs in /var/adm/messages :-
> > > >
> > > > Mar 15 10:27:15 e220r snort: [!] WARNING: TCP stream reassembler,
Server
> > > > Bytes in Buffer > Buffer Size (29938 > 25144)
> > > >
> > > > What does this mean?
> > > >
> > > > Siddhartha
> > > >
> > > >
> > > >
> > > > _________________________________________________________
> > > > Do You Yahoo!?
> > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list