[Snort-users] Snort behaviour graphic.
cmg at ...1935...
Wed Jul 10 15:14:15 EDT 2002
Emilio Mira <emial at ...4389...> writes:
> Hi Chris,
> My stream4 and frag2 configurations are by default in 1.8.7:
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor frag2
> There are about 10,000 hosts in my network, and the kind of traffic ...
> ummm ... I'm monitorizing an University, so HTTP, FTP, p2p I think.
Yeah, I think you need to increase your stream4 memcap to 16777216
I'd be interested in another graphic representating that again.
> And, what did you mean with "I wouldn't be suprised if those times are
> when you are hitting a forced session prune."
Oh, when the state table for the conversation stuff gets full, it will
go though and expire old nodes that are being unused. That can be a
fairly expensive operation ( and maybe one worth investigating further
Chris Green <cmg at ...1935...>
A good pun is its own reword.
More information about the Snort-users