[Snort-users] Alert payloads not matching alert rules

Joel Esler joel.esler at ...1935...
Mon Nov 27 09:13:12 EST 2006


No, I do not mean multiple instances of Snort overwriting each others memory.  "its OWN memory".  I am talking about a single Snort process.  Then when you try and run 3 on the same box, you wind up trying to cram too much traffic in too small of a hole.

Plus there is no way to know how the Snort process is tuned.  Follow Marc's advice and use "zero_flushed_packets" within stream4.

J


On Thu, Nov 23, 2006 at 09:21:51AM +1300, it looks like Jason Haar sent me:
> Joel Esler wrote:
> > Are you dropping any packets?  It seems that with 3 processes of Snort, on the same box, with only 2 Gigs of RAM trying to analyze that much traffic, you are probably dropping packets in addition to Snort overwriting its own memory.
> >
> >   
> Hi Joel
> 
> Can you explain what you mean by snort overwriting it's own memory? How
> is that possible? I thought standard OS process separation would stop
> that? (I am assuming you meant having >1 snort process leads to one
> snort process "corrupting" another)
> 
> I also routinely run multiple snort instances - this comes as a bit of a
> shock...
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list