[Snort-users] Getting tuned finally!

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed Mar 11 17:25:04 EDT 2009


Hi,

The sensor is on the inside of the firewall, but it's fairly busy.

Tracking more sessions sounds like a good thing... ?  Should I bump this up and monitor the performance?

________________________________
From: jesler at ...1935... [mailto:jesler at ...1935...] On Behalf Of Joel Esler
Sent: March 11, 2009 2:19 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Getting tuned finally!

If you increase this number, obviously it will allow you to track more sessions.  What is the placement of your sensor (inside or outside firewall?)

J
On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn <Shawn.Jefferson at ...14534......<mailto:Shawn.Jefferson at ...14448...>> wrote:
So I think I'm finally getting my snort sensor tuned so that I am achieving a balance between resources (not dropping any packets according to snorts.stats) and having some of the EmergingThreats rulesets enabled.  I do have some questions about the stream5 preprocessor though.

I noticed that I was getting "faults" occasionally, and subsequent messages in the daemon.log about pruning sessions, so I increased the memcap limit until these went away.  Is this a "correct" action to take?

Also, I noticed that my Open Sessions stats show open sessions to pretty much always be equal to max sessions, which is set at 8192.  Should I be increasing this, or is that normal behaviour?

Thanks,
Shawn




------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...<mailto:jesler at ...1935...>
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090311/5dc52a5e/attachment.html>


More information about the Snort-users mailing list