[Snort-users] Getting tuned finally!

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Mar 11 17:25:04 EDT 2009


The sensor is on the inside of the firewall, but it's fairly busy.

Tracking more sessions sounds like a good thing... ?  Should I bump this up and monitor the performance?

From: jesler at ...1935... [mailto:jesler at ...1935...] On Behalf Of Joel Esler
Sent: March 11, 2009 2:19 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Getting tuned finally!

If you increase this number, obviously it will allow you to track more sessions.  What is the placement of your sensor (inside or outside firewall?)

On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn <Shawn.Jefferson at ...14534......<mailto:Shawn.Jefferson at ...14448...>> wrote:
So I think I'm finally getting my snort sensor tuned so that I am achieving a balance between resources (not dropping any packets according to snorts.stats) and having some of the EmergingThreats rulesets enabled.  I do have some questions about the stream5 preprocessor though.

I noticed that I was getting "faults" occasionally, and subsequent messages in the daemon.log about pruning sessions, so I increased the memcap limit until these went away.  Is this a "correct" action to take?

Also, I noticed that my Open Sessions stats show open sessions to pretty much always be equal to max sessions, which is set at 8192.  Should I be increasing this, or is that normal behaviour?


Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive:

Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...<mailto:jesler at ...1935...>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090311/5dc52a5e/attachment.html>

More information about the Snort-users mailing list