[Snort-users] stream4 memory questions.

Martin Roesch roesch at ...1935...
Thu Mar 14 13:07:50 EST 2002


Looks like it to me, this must be a pretty busy network... :)

     -Marty

On 3/14/02 3:16 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:

> Marty,
> 
> So if I understand your E-mail correctly,  according to this output, I should
> increase my stream4
> memory cap.
> 
> TCP Stream Reassembly Stats:
>       TCP Packets Used: 84060320   (91.651%)
>        Stream Trackers: 4677076
>         Stream flushes: 20
>          Segments used: 310
>  Stream4 Memory Faults: 542 <-----
> 
> 
> 
> 
> 
> 
> Martin Roesch wrote:
> 
>> On 3/14/02 2:27 PM, "Vjay LaRosa" <vjayl at ...3331...> wrote:
>> 
>>> Hello,
>>> 
>>> I have two questions...
>>> 
>>> 1)
>>> 
>>> Can some one tell me if there is a memory cap for the preprocessors
>>> frag2 and streams4? I want to make sure that each snort process on my
>>> server
>>> has MORE than enough memory than it needs (6 GB in the server!).
>>> 
>>> Currently I can see one process uses up to 147 MB of memory,
>>> 
>>> 14967 root       1  40    0   27M   27M run   303:39 17.82% snort
>>> 14972 root       1  31    0  147M  147M sleep 235:55 14.28% snort <----
>>> 14962 root       1  52    0   18M   18M sleep 244:12  8.59% snort
>>> 
>>> These are my snort.conf settings.
>>> 
>>> preprocessor frag2: memcap 134217728, timeout 60 # 128 MB
>>> preprocessor stream4: detect_scans, memcap 134217728 # 128 MB
>> 
>> There are *separate* memcaps for stream4 and frag2, they each have their own
>> memory pools and memory managers.  If you want to limit it to a total of
>> 128M you need to make it 64MB and 64MB respectively.
>> 
>>> 2)
>>> Could some one explain the following lines of output to me? They are
>>> from a kill -USR1 to a snort process.
>>> 
>>> Stream Trackers
>> 
>> Number of sessions that had trackers (session data structs) setup for them.
>> 
>>> Stream Flushes
>> 
>> Number of times the stream flush function was called.  BTW, does anyone have
>> any recommendations for deciding when to flush the streams?  The current
>> setup is pretty naïve, it flushes if there are more than 2 packets with 128
>> bytes or more data stored for the stream.  This method pretty much sucks, so
>> I'm open to suggestions.  We  want to model the behavior of the target host
>> as closely as possible...
>> 
>>> Segments used
>> 
>> This is the number of segments that have been combined during stream
>> flushes.
>> 
>>> Stream4 Memory faults
>> 
>> This is the number of times the memcap was hit and stream4 had to take
>> extended measures (flushing old segments first, if that fails flushing 5
>> random stream trackers at the leaf nodes in the splay tree the trackers are
>> stored in and all their associated segments).  If this number is large you
>> should think about increasing your memcap for stream4.
>> 
>> BTW, with ~8MB of RAM you should be able to store approximately 32000
>> simultaneous sessions in the average case in RAM.  If you don't do stream
>> reassembly (stateful inspection only) you should be able to store ~64000
>> sessions.
>> 
>>      -Marty
>> 
>> --
>> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
>> Sourcefire: Professional Snort Sensor and Management Console appliances
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS - http://www.snort.org
> 
> --
> V.Jay LaRosa                           EMC Corporation
> Systems Administrator                  171 South Street
> (508)435-1000 ext 14957                Hopkinton, MA 01748
> (508)497-8082 fax                      www.emc.com
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
> 

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list