[Snort-users] Snort behaviour graphic.
emial at ...4389...
Wed Jul 10 14:36:03 EDT 2002
My stream4 and frag2 configurations are by default in 1.8.7:
preprocessor stream4: detect_scans, disable_evasion_alerts
There are about 10,000 hosts in my network, and the kind of traffic ...
ummm ... I'm monitorizing an University, so HTTP, FTP, p2p I think.
And, what did you mean with "I wouldn't be suprised if those times are
when you are hitting a forced session prune."
On Wed, 10 Jul 2002, Chris Green wrote:
> Emilio Mira <emial at ...4389...> writes:
> > Hi all,
> > I've been doing tests with Snort and I got the graphic attached. We can
> > see traffic received in packets per second with blue line, Snort droped
> > pps with green line and Snort total VM size in kilobytes. X axe represents
> > time in hours (a little more than one week).
> > First, why droped packets are so different in between days with similar
> > traffic? (I get droped packets with a script that compares received
> > packets from the interface with Snort processed packets, from kill
> > -USR1).
> > Second, why Snort vsize is like this?. I thought it bears relation to
> > traffic received, but it doesn't.
> What are your stream4 and frag2 configurations? How many hosts are
> you seeing on your network? Any idea on the type of traffic?
> You might try running your statistics with a higher memcap. I
> wouldn't be suprised if those times are when you are hitting a forced
> session prune.
More information about the Snort-users