[Snort-users] Stream4 behavior

sekure sekure at ...11827...
Mon Mar 27 13:25:05 EST 2006


I went from seeing around 200 stream flushes per second to about 3000.
 Needless to say CPU spiked to 100% and snort is dropping upwards of
60% of packets.

I tried increasing the stream4 memcap from defaul 8MB to 128 MB with
no improvement in performance.

This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing
with ~80-90Mbps on an average basis.

Here is my relevant config:
preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
134217728, timeout 60
preprocessor stream4_reassemble: both

While i hunt down the source of the problem, can someone answer my questions:

Other than the stream timing out based on the timeout value, what else
would cause a stream to be flushed?
What can I do to enable snort to cope better with this?

More information about the Snort-users mailing list