[Snort-users] stream4 memory questions.

Vjay LaRosa vjayl at ...3331...
Thu Mar 14 12:29:07 EST 2002


Marty,

So if I understand your E-mail correctly,  according to this output, I should
increase my stream4
memory cap.

TCP Stream Reassembly Stats:
        TCP Packets Used: 84060320   (91.651%)
         Stream Trackers: 4677076
          Stream flushes: 20
           Segments used: 310
   Stream4 Memory Faults: 542 <-----






Martin Roesch wrote:

> On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:
>
> > Hello,
> >
> > I have two questions...
> >
> > 1)
> >
> > Can some one tell me if there is a memory cap for the preprocessors
> > frag2 and streams4? I want to make sure that each snort process on my
> > server
> > has MORE than enough memory than it needs (6 GB in the server!).
> >
> > Currently I can see one process uses up to 147 MB of memory,
> >
> > 14967 root       1  40    0   27M   27M run   303:39 17.82% snort
> > 14972 root       1  31    0  147M  147M sleep 235:55 14.28% snort <----
> > 14962 root       1  52    0   18M   18M sleep 244:12  8.59% snort
> >
> > These are my snort.conf settings.
> >
> > preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
> > preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
>
> There are *separate* memcaps for stream4 and frag2, they each have their own
> memory pools and memory managers.  If you want to limit it to a total of
> 128M you need to make it 64MB and 64MB respectively.
>
> > 2)
> > Could some one explain the following lines of output to me? They are
> > from a kill -USR1 to a snort process.
> >
> > Stream Trackers
>
> Number of sessions that had trackers (session data structs) setup for them.
>
> > Stream Flushes
>
> Number of times the stream flush function was called.  BTW, does anyone have
> any recommendations for deciding when to flush the streams?  The current
> setup is pretty naïve, it flushes if there are more than 2 packets with 128
> bytes or more data stored for the stream.  This method pretty much sucks, so
> I'm open to suggestions.  We  want to model the behavior of the target host
> as closely as possible...
>
> > Segments used
>
> This is the number of segments that have been combined during stream
> flushes.
>
> > Stream4 Memory faults
>
> This is the number of times the memcap was hit and stream4 had to take
> extended measures (flushing old segments first, if that fails flushing 5
> random stream trackers at the leaf nodes in the splay tree the trackers are
> stored in and all their associated segments).  If this number is large you
> should think about increasing your memcap for stream4.
>
> BTW, with ~8MB of RAM you should be able to store approximately 32000
> simultaneous sessions in the average case in RAM.  If you don't do stream
> reassembly (stateful inspection only) you should be able to store ~64000
> sessions.
>
>      -Marty
>
> --
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com







More information about the Snort-users mailing list