[Snort-users] Snort getting overloaded by http traffic:

Imran William Smith iwsmith at ...487...
Tue Jun 25 19:29:02 EDT 2002

And is the buffering done by the kernel / libpcap (as implied
by Keith), or does snort do the buffering?  Does snort have the
ability to buffer packets it is not yet ready to 'process'?  Would
this achieve anything?  I think if you use the HUP signal to snort
to dump statistics and rotate logfiles, it can drop some packets
at this point.

Can anybody clear up quite if / where buffering of packets occurs,
and why 'more memory' is useful to an sensor box?  Of course,
if have MySQL on the same machine, you need memory, but that's
probably a bad idea anyway.

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message ----- 
From: "Jason Haar" <Jason.Haar at ...294...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, June 26, 2002 9:55 AM
Subject: Re: [Snort-users] Snort getting overloaded by http traffic:

| On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote:
| > The amount of traffic that Snort is able to inspect has less to do with
| > Snort and almost everything to do with the underlying operating system, IP
| > stack, and (most importantly) available resources.  If the operating system
| > is short of resources (specifically RAM), then packets are going to be
| > dropped by the kernel due to lack of buffer space and general congestion.
| > As such, they will never be presented to Snort for inspection.
| [mutter, mutter Microsoft - how about some word wrapping!!!]
| Anyway, this comment about RAM - is that actually true? I mean, there's a
| few areas where snort needs to swallow *some* RAM - to track state, etc -
| but other than that it's not a big requirement....
| The reason I ask is that I'm running snort under daemontools as a supervised
| script, and one thing I've done is to tell it it can't grow above 20M as
| that indicates a memory leak. So far snort appears to hang around 10M - so I
| feel happy with that.
| Does snort ever need to grow to > 20Meg???
| -- 
| Cheers
| Jason Haar
| Information Security Manager, Trimble Navigation Ltd.
| Phone: +64 3 9635 377 Fax: +64 3 9635 417
| PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
| -------------------------------------------------------
| This sf.net email is sponsored by: Jabber Inc.
| Don't miss the IM event of the season | Special offer for OSDN members! 
| JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list