[Snort-users] Getting tuned finally!

Jason Brvenik jasonb at ...1935...
Wed Mar 11 17:21:46 EDT 2009

Tuning it by increasing memcap is appropriate. That the max sessions
and open session always match could indicate a lack of memory still
but more likely indicates that you are not getting the full session.
Check to make sure you are getting the full three way handshake and
session tear down.

On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> So I think I’m finally getting my snort sensor tuned so that I am achieving
> a balance between resources (not dropping any packets according to
> snorts.stats) and having some of the EmergingThreats rulesets enabled.  I do
> have some questions about the stream5 preprocessor though.
> I noticed that I was getting “faults” occasionally, and subsequent messages
> in the daemon.log about pruning sessions, so I increased the memcap limit
> until these went away.  Is this a “correct” action to take?
> Also, I noticed that my Open Sessions stats show open sessions to pretty
> much always be equal to max sessions, which is set at 8192.  Should I be
> increasing this, or is that normal behaviour?
> Thanks,
> Shawn
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list