[Snort-users] stream4 memory questions.
vjayl at ...3331...
Thu Mar 14 12:27:11 EST 2002
I understand that both of frag2 and stream4 are seperate memory pools, but what
wondering is what is the maximum size I can set these variables.
Martin Roesch wrote:
> On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:
> > Hello,
> > I have two questions...
> > 1)
> > Can some one tell me if there is a memory cap for the preprocessors
> > frag2 and streams4? I want to make sure that each snort process on my
> > server
> > has MORE than enough memory than it needs (6 GB in the server!).
> > Currently I can see one process uses up to 147 MB of memory,
> > 14967 root 1 40 0 27M 27M run 303:39 17.82% snort
> > 14972 root 1 31 0 147M 147M sleep 235:55 14.28% snort <----
> > 14962 root 1 52 0 18M 18M sleep 244:12 8.59% snort
> > These are my snort.conf settings.
> > preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
> > preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
> There are *separate* memcaps for stream4 and frag2, they each have their own
> memory pools and memory managers. If you want to limit it to a total of
> 128M you need to make it 64MB and 64MB respectively.
> > 2)
> > Could some one explain the following lines of output to me? They are
> > from a kill -USR1 to a snort process.
> > Stream Trackers
> Number of sessions that had trackers (session data structs) setup for them.
> > Stream Flushes
> Number of times the stream flush function was called. BTW, does anyone have
> any recommendations for deciding when to flush the streams? The current
> setup is pretty naïve, it flushes if there are more than 2 packets with 128
> bytes or more data stored for the stream. This method pretty much sucks, so
> I'm open to suggestions. We want to model the behavior of the target host
> as closely as possible...
> > Segments used
> This is the number of segments that have been combined during stream
> > Stream4 Memory faults
> This is the number of times the memcap was hit and stream4 had to take
> extended measures (flushing old segments first, if that fails flushing 5
> random stream trackers at the leaf nodes in the splay tree the trackers are
> stored in and all their associated segments). If this number is large you
> should think about increasing your memcap for stream4.
> BTW, with ~8MB of RAM you should be able to store approximately 32000
> simultaneous sessions in the average case in RAM. If you don't do stream
> reassembly (stateful inspection only) you should be able to store ~64000
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
V.Jay LaRosa EMC Corporation
Systems Administrator 171 South Street
(508)435-1000 ext 14957 Hopkinton, MA 01748
(508)497-8082 fax www.emc.com
More information about the Snort-users