[Snort-users] stream4 memory questions.

Martin Roesch roesch at ...1935...
Thu Mar 14 12:02:07 EST 2002


On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:

> Hello,
> 
> I have two questions...
> 
> 1)
> 
> Can some one tell me if there is a memory cap for the preprocessors
> frag2 and streams4? I want to make sure that each snort process on my
> server
> has MORE than enough memory than it needs (6 GB in the server!).
> 
> Currently I can see one process uses up to 147 MB of memory,
> 
> 14967 root       1  40    0   27M   27M run   303:39 17.82% snort
> 14972 root       1  31    0  147M  147M sleep 235:55 14.28% snort <----
> 14962 root       1  52    0   18M   18M sleep 244:12  8.59% snort
> 
> These are my snort.conf settings.
> 
> preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
> preprocessor stream4: detect_scans, memcap 134217728 # 128 MB

There are *separate* memcaps for stream4 and frag2, they each have their own
memory pools and memory managers.  If you want to limit it to a total of
128M you need to make it 64MB and 64MB respectively.

> 2)
> Could some one explain the following lines of output to me? They are
> from a kill -USR1 to a snort process.
> 
> Stream Trackers

Number of sessions that had trackers (session data structs) setup for them.

> Stream Flushes

Number of times the stream flush function was called.  BTW, does anyone have
any recommendations for deciding when to flush the streams?  The current
setup is pretty naïve, it flushes if there are more than 2 packets with 128
bytes or more data stored for the stream.  This method pretty much sucks, so
I'm open to suggestions.  We  want to model the behavior of the target host
as closely as possible...

> Segments used

This is the number of segments that have been combined during stream
flushes.

> Stream4 Memory faults

This is the number of times the memcap was hit and stream4 had to take
extended measures (flushing old segments first, if that fails flushing 5
random stream trackers at the leaf nodes in the splay tree the trackers are
stored in and all their associated segments).  If this number is large you
should think about increasing your memcap for stream4.

BTW, with ~8MB of RAM you should be able to store approximately 32000
simultaneous sessions in the average case in RAM.  If you don't do stream
reassembly (stateful inspection only) you should be able to store ~64000
sessions.

     -Marty

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list