[Snort-users] Stream4 behavior

sekure sekure at ...11827...
Mon Mar 27 14:22:04 EST 2006


Joel,

I'd love to know myself.  Nothing changed snort configuration-wise in
snort.  My guess is someone started doing something funky on the
network.  I can't put my finger on it.  I see a lot of netbios traffic
with iptraf, so perhaps someone is copying tons of stuff, though i
have no idea what they'd be copying for the past 6 hours.

BTW, the packets/second count also went up from about 8K to 20K at the
same time.

I RTFM'ed and tried playing around with some of the new stream4
parameters.  Currently i have it configured like so:
preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
67108864, self_preservation_threshold 3500, suspend_threshold 5000,
max_sessions 65536, timeout 20

No change, still dropping packets like crazy.  Running Snort Version 2.4.2

I'd appreciate any help.

On 3/27/06, Joel Esler <joel.esler at ...1935...> wrote:
> You say you went from 200 to about 3000?  What changed?  Please
> provide more info if you could, we'd be glad to help.
>
> J
>
> On Mar 27, 2006, at 4:24 PM, sekure wrote:
>
> > Question:
> >
> > I went from seeing around 200 stream flushes per second to about 3000.
> >  Needless to say CPU spiked to 100% and snort is dropping upwards of
> > 60% of packets.
> >
> > I tried increasing the stream4 memcap from defaul 8MB to 128 MB with
> > no improvement in performance.
> >
> > This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing
> > with ~80-90Mbps on an average basis.
> >
> > Here is my relevant config:
> > preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
> > 134217728, timeout 60
> > preprocessor stream4_reassemble: both
> >
> > While i hunt down the source of the problem, can someone answer my
> > questions:
> >
> > Other than the stream timing out based on the timeout value, what else
> > would cause a stream to be flushed?
> > What can I do to enable snort to cope better with this?
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> > language
> > that extends applications into web and mobile media. Attend the
> > live webcast
> > and join the prime developer group breaking into this new coding
> > territory!
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>




More information about the Snort-users mailing list