[Snort-users] stream4 memory questions.
roesch at ...1935...
Thu Mar 14 13:06:53 EST 2002
On 3/14/02 3:13 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:
> Hi Marty,
> I understand that both of frag2 and stream4 are seperate memory pools, but
> I was
> wondering is what is the maximum size I can set these variables.
There's no maximum size, you can set it as large as you like. Well, within
the bounds of an unsigned 32-bit anyway.
> Martin Roesch wrote:
>> On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:
>>> I have two questions...
>>> Can some one tell me if there is a memory cap for the preprocessors
>>> frag2 and streams4? I want to make sure that each snort process on my
>>> has MORE than enough memory than it needs (6 GB in the server!).
>>> Currently I can see one process uses up to 147 MB of memory,
>>> 14967 root 1 40 0 27M 27M run 303:39 17.82% snort
>>> 14972 root 1 31 0 147M 147M sleep 235:55 14.28% snort <----
>>> 14962 root 1 52 0 18M 18M sleep 244:12 8.59% snort
>>> These are my snort.conf settings.
>>> preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
>>> preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
>> There are *separate* memcaps for stream4 and frag2, they each have their own
>> memory pools and memory managers. If you want to limit it to a total of
>> 128M you need to make it 64MB and 64MB respectively.
>>> Could some one explain the following lines of output to me? They are
>>> from a kill -USR1 to a snort process.
>>> Stream Trackers
>> Number of sessions that had trackers (session data structs) setup for them.
>>> Stream Flushes
>> Number of times the stream flush function was called. BTW, does anyone have
>> any recommendations for deciding when to flush the streams? The current
>> setup is pretty naïve, it flushes if there are more than 2 packets with 128
>> bytes or more data stored for the stream. This method pretty much sucks, so
>> I'm open to suggestions. We want to model the behavior of the target host
>> as closely as possible...
>>> Segments used
>> This is the number of segments that have been combined during stream
>>> Stream4 Memory faults
>> This is the number of times the memcap was hit and stream4 had to take
>> extended measures (flushing old segments first, if that fails flushing 5
>> random stream trackers at the leaf nodes in the splay tree the trackers are
>> stored in and all their associated segments). If this number is large you
>> should think about increasing your memcap for stream4.
>> BTW, with ~8MB of RAM you should be able to store approximately 32000
>> simultaneous sessions in the average case in RAM. If you don't do stream
>> reassembly (stateful inspection only) you should be able to store ~64000
>> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
>> Sourcefire: Professional Snort Sensor and Management Console appliances
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS - http://www.snort.org
> V.Jay LaRosa EMC Corporation
> Systems Administrator 171 South Street
> (508)435-1000 ext 14957 Hopkinton, MA 01748
> (508)497-8082 fax www.emc.com
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users