[Snort-users] Getting tuned finally!

Joel Esler eslerj at ...11827...
Wed Mar 11 17:19:05 EDT 2009


If you increase this number, obviously it will allow you to track more
sessions.  What is the placement of your sensor (inside or outside
firewall?)
J

On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

>  So I think I’m finally getting my snort sensor tuned so that I am
> achieving a balance between resources (not dropping any packets according to
> snorts.stats) and having some of the EmergingThreats rulesets enabled.  I do
> have some questions about the stream5 preprocessor though.
>
> I noticed that I was getting “faults” occasionally, and subsequent messages
> in the daemon.log about pruning sessions, so I increased the memcap limit
> until these went away.  Is this a “correct” action to take?
>
> Also, I noticed that my Open Sessions stats show open sessions to pretty
> much always be equal to max sessions, which is set at 8192.  Should I be
> increasing this, or is that normal behaviour?
>
> Thanks,
> Shawn
>
>
>
>
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090311/cac842d6/attachment.html>


More information about the Snort-users mailing list