[Snort-users] VRT stream5 Preprocessor Config vs Default Settings

Russ Combs rcombs at ...1935...
Fri Apr 29 10:33:29 EDT 2011


On Fri, Apr 29, 2011 at 10:28 AM, Matt Watchinski <
mwatchinski at ...1935...> wrote:

> Stream5's config parser is pretty loose, so commas or spaces are ok
> and can be interchanged.  This is inconsistent though in my opinion,
> so I'll reformat it for the ,\ per line as suggest below so its easier
> to read in 2.9.0.5 conf file for the next rule package we release.
>

FYI - we have a bug targeted for the 2.9.1 release that tightens up
stream5's comma related parsing.  In some cases, if a comma doesn't separate
keywords, the latter keyword is ignored.

>
> As for the max_tcp number, being set to 8192, the CVS comments for
> when this was set in the 2861 conf is that it is for memory allocation
> reasons in stream5, as it pre-allocates memory per stream tracked.
> Since the default is higher number, i'll up date it to reflect that
> default in the 2905.conf
>
> Thanks for the feedback.
>
> Cheers,
> -matt
>
>
>
> On Thu, Apr 28, 2011 at 5:20 PM, Eoin Miller
> <eoin.miller at ...14586...> wrote:
> > VRT supplied snort.conf file that comes with 2.9.0.4 as of today contains
> > this line:
> >
> > ---snip---
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
> > track_icmp no max_active_responses 2 min_response_seconds 5
> > ^ ^
> > |---missing commas?----|
> > ---snip---
> >
> > I guess it still loads it with these options? If not it should look like
> > (separated by line to make easier to read in the email threads):
> >
> > preprocessor stream5_global: max_tcp 8192,\
> > track_tcp yes,\
> > track_udp yes,\
> > track_icmp no,\
> > max_active_responses 2,\
> > min_response_seconds 5
> >
> > Some of those settings are even less than what is turned on by default
> > though it would appear. max_tcp is set to 8192 in the VRT conf as shown
> > above, however the 2.9.0.5 manual states:
> > --snip--
> > max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked. The
> > default is ”262144”, maximum is ”1048576”, minimum is ”1”.
> > --snip--
> >
> > What else is weird is that max_udp is missing in the config and therefor
> the
> > default value of 131072 would kick in, so the VRT config has you tracking
> a
> > lot more UDP sessions that TCP sessions with stream5. From the 2.9.0.5
> > manual:
> > --snip--
> > max_udp <num sessions> || Maximum simultaneous UDP sessions tracked. The
> > default is ”131072”, maximum is ”1048576”, minimum is ”1”.
> > --snip--
> >
> > Not sure if this is by design or just an artifact from the previous
> > snort.conf's where this has been set to this value forever in recent
> memory.
> > Value does seem pretty low however.
> >
> >
> > I guess something more like:
> >
> > preprocessor stream5_global: track_tcp yes,\
> > track_udp yes,\
> > track_icmp no,\
> > max_active_responses 2,\
> > min_response_seconds 5
> >
> > Or:
> >
> > preprocessor stream5_global: track_tcp yes,\
> > max_tcp 262144,\
> > track_udp yes,\
> > max_udp 131072,\
> > track_icmp no,\
> > max_active_responses 2,\
> > min_response_seconds 5
> >
> > Thought this might be worthy of review/consideration for others.
> >
> > -- Eoin
> >
> >
> >
>
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110429/0ec12b06/attachment.html>


More information about the Snort-users mailing list