[Snort-users] stream4 configuration - high bandwidth

Gentoo-Wally gentoowally at ...11827...
Fri Sep 1 13:33:03 EDT 2006


Most of my sensor deployments have been in relatively low bandwidth
environments. I have recently deployed a sensor (snort 2.4.5) in an
area that sees between 100 Mb/s - 250 Mb/s. This sensor will be
monitoring an up link port behind which sits 100 servers (mix of
win2k, win2k3, linux and solaris). So I'm obviously looking to tune my
preprocessors to the best of my ability. I've been pouring over snort
doc's (doesn't appear to be a README for stream4 in the doc's dir BTW)
and googling 'til my fingers bleed but I still have some questions,
specifically regarding stream4.

How can I determine what values I should use for the following...

max_sessions
server_inspect_limit
memcap

I guess what I need to know is what type of bandwidth usage are the
defaults targeted for? Are the defaults over/under kill for a sensor
seeing 100-250 Mb/s? What type of data should I collect (from snort or
network gear) to help me identify the right values for my environment?
I've never seen any numbers for streams on my network gear, only
flows.

If anyone has any non stream4 advice or 'Watch out for.."'s for a
sensor watching this level of traffic...I'm all ears.

Thx for the help,

Wally




More information about the Snort-users mailing list