[Snort-users] Snort behaviour graphic.

Chris Green cmg at ...1935...
Wed Jul 10 15:14:15 EDT 2002


Emilio Mira <emial at ...4389...> writes:

> Hi Chris,
>
> My stream4 and frag2 configurations are by default in 1.8.7:
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor frag2
>
> There are about 10,000 hosts in my network, and the kind of traffic ... 
> ummm ... I'm monitorizing an University, so HTTP, FTP, p2p I think.

Yeah, I think you need to increase your stream4 memcap to 16777216
atleast..

I'd be interested in another graphic representating that again.

>
> And, what did you mean with "I wouldn't be suprised if those times are
> when you are hitting a forced session prune."

Oh, when the state table for the conversation stuff gets full, it will
go though and expire old nodes that are being unused.  That can be a
fairly expensive operation ( and maybe one worth investigating further
).
-- 
Chris Green <cmg at ...1935...>
A good pun is its own reword.




More information about the Snort-users mailing list