[Snort-users] Getting tuned finally!

Joel Esler eslerj at ...11827...
Wed Mar 11 19:21:42 EDT 2009


Good point there.

On Wed, Mar 11, 2009 at 7:07 PM, Jason Brvenik <jasonb at ...1935...>wrote:

> IMHO syn and syn-ack will rarely line up, syn is common because of
> incorrect addresses, denied downstream, scanning, etc. The true metric
> is Syn-Ack VS FIN if you ask me.
>
> On Wed, Mar 11, 2009 at 5:39 PM, Joel Esler <eslerj at ...11827...> wrote:
> > Give it a try.
> > The reason I asked because if your sensor is outside the firewall, your
> SYN
> > and SYN-ACK count won't line up, eating sessions.  That's why I was
> asking.
> > J
> >
> > On Wed, Mar 11, 2009 at 5:25 PM, Jefferson, Shawn
> > <Shawn.Jefferson at ...14448...> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> The sensor is on the inside of the firewall, but it’s fairly busy.
> >>
> >>
> >>
> >> Tracking more sessions sounds like a good thing… ?  Should I bump this
> up
> >> and monitor the performance?
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: jesler at ...1935... [mailto:jesler at ...1935...] On Behalf Of
> >> Joel Esler
> >> Sent: March 11, 2009 2:19 PM
> >> To: Jefferson, Shawn
> >> Cc: Snort-users at lists.sourceforge.net
> >> Subject: Re: [Snort-users] Getting tuned finally!
> >>
> >>
> >>
> >> If you increase this number, obviously it will allow you to track more
> >> sessions.  What is the placement of your sensor (inside or outside
> >> firewall?)
> >>
> >>
> >>
> >> J
> >>
> >> On Wed, Mar 11, 2009 at 4:55 PM, Jefferson, Shawn
> >> <Shawn.Jefferson at ...14448...> wrote:
> >>
> >> So I think I’m finally getting my snort sensor tuned so that I am
> >> achieving a balance between resources (not dropping any packets
> according to
> >> snorts.stats) and having some of the EmergingThreats rulesets enabled.
> I do
> >> have some questions about the stream5 preprocessor though.
> >>
> >>
> >>
> >> I noticed that I was getting “faults” occasionally, and subsequent
> >> messages in the daemon.log about pruning sessions, so I increased the
> memcap
> >> limit until these went away.  Is this a “correct” action to take?
> >>
> >>
> >>
> >> Also, I noticed that my Open Sessions stats show open sessions to pretty
> >> much always be equal to max sessions, which is set at 8192.  Should I be
> >> increasing this, or is that normal behaviour?
> >>
> >>
> >>
> >> Thanks,
> >>
> >> Shawn
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> >> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> >> easily build your RIAs with Flex Builder, the Eclipse(TM)based
> development
> >> software that enables intelligent coding and step-through debugging.
> >> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >> --
> >> Joel Esler
> >> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> >> [m]
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> > [m]
> >
> >
> ------------------------------------------------------------------------------
> > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> > easily build your RIAs with Flex Builder, the Eclipse(TM)based
> development
> > software that enables intelligent coding and step-through debugging.
> > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090311/559f401e/attachment.html>


More information about the Snort-users mailing list