[Snort-users] Stream4 behavior
jasonb at ...1935...
Tue Mar 28 10:22:12 EST 2006
Unless you are getting stream faults and / or timeouts nothing you do
with stream will help. Flushes are good behavior. Your mail indicates
that you have a sudden increase in traffic. Find out why you have spikes
and you will find out what is going on. The only other thing you can do
is put in a bigger sensor to handle larger volumes of traffic / sessions.
> Joel, snorters
> Any ideas? Whatever was happening has subsided, and i am back to
> about 200 stream flushes/second and around 10K packets/sec. But i
> went looking through my perfmonitor graphs and i see short spikes in
> packets/sec, tied to spikes in stream flushes/second tied to cpu
> utilization nearing 100% and packets dropped all over the floor.
> Seems that nothing i do with stream4 parameters helps.
> Do you have any suggestions for me to try? Is there any guidance for
> configuring stream4 preprocessor, other than what's in the
> On 3/27/06, sekure <sekure at ...11827...> wrote:
>>I'd love to know myself. Nothing changed snort configuration-wise in
>>snort. My guess is someone started doing something funky on the
>>network. I can't put my finger on it. I see a lot of netbios traffic
>>with iptraf, so perhaps someone is copying tons of stuff, though i
>>have no idea what they'd be copying for the past 6 hours.
>>BTW, the packets/second count also went up from about 8K to 20K at the
>>I RTFM'ed and tried playing around with some of the new stream4
>>parameters. Currently i have it configured like so:
>>preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
>>67108864, self_preservation_threshold 3500, suspend_threshold 5000,
>>max_sessions 65536, timeout 20
>>No change, still dropping packets like crazy. Running Snort Version 2.4.2
>>I'd appreciate any help.
>>On 3/27/06, Joel Esler <joel.esler at ...1935...> wrote:
>>>You say you went from 200 to about 3000? What changed? Please
>>>provide more info if you could, we'd be glad to help.
>>>On Mar 27, 2006, at 4:24 PM, sekure wrote:
>>>>I went from seeing around 200 stream flushes per second to about 3000.
>>>> Needless to say CPU spiked to 100% and snort is dropping upwards of
>>>>60% of packets.
>>>>I tried increasing the stream4 memcap from defaul 8MB to 128 MB with
>>>>no improvement in performance.
>>>>This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing
>>>>with ~80-90Mbps on an average basis.
>>>>Here is my relevant config:
>>>>preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
>>>>134217728, timeout 60
>>>>preprocessor stream4_reassemble: both
>>>>While i hunt down the source of the problem, can someone answer my
>>>>Other than the stream timing out based on the timeout value, what else
>>>>would cause a stream to be flushed?
>>>>What can I do to enable snort to cope better with this?
>>>>This SF.Net email is sponsored by xPML, a groundbreaking scripting
>>>>that extends applications into web and mobile media. Attend the
>>>>and join the prime developer group breaking into this new coding
>>>>Snort-users mailing list
>>>>Snort-users at lists.sourceforge.net
>>>>Go to this URL to change user options or unsubscribe:
>>>>Snort-users list archive:
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users