[Snort-users] VRT stream5 Preprocessor Config vs Default Settings

Steven Sturges ssturges at ...1935...
Fri Apr 29 10:33:34 EDT 2011


For max_tcp, stream doens't preallocate the memory, but that does
limit the number of simultaneous TCP connections being tracked.

The default in Snort is 256k for max_tcp.

Cheers.
-steve

On 4/29/11 10:28 AM, Matt Watchinski wrote:
> Stream5's config parser is pretty loose, so commas or spaces are ok
> and can be interchanged.  This is inconsistent though in my opinion,
> so I'll reformat it for the ,\ per line as suggest below so its easier
> to read in 2.9.0.5 conf file for the next rule package we release.
>
> As for the max_tcp number, being set to 8192, the CVS comments for
> when this was set in the 2861 conf is that it is for memory allocation
> reasons in stream5, as it pre-allocates memory per stream tracked.
> Since the default is higher number, i'll up date it to reflect that
> default in the 2905.conf
>
> Thanks for the feedback.
>
> Cheers,
> -matt
>
>
>
> On Thu, Apr 28, 2011 at 5:20 PM, Eoin Miller
> <eoin.miller at ...14586...>  wrote:
>> VRT supplied snort.conf file that comes with 2.9.0.4 as of today contains
>> this line:
>>
>> ---snip---
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
>> track_icmp no max_active_responses 2 min_response_seconds 5
>> ^ ^
>> |---missing commas?----|
>> ---snip---
>>
>> I guess it still loads it with these options? If not it should look like
>> (separated by line to make easier to read in the email threads):
>>
>> preprocessor stream5_global: max_tcp 8192,\
>> track_tcp yes,\
>> track_udp yes,\
>> track_icmp no,\
>> max_active_responses 2,\
>> min_response_seconds 5
>>
>> Some of those settings are even less than what is turned on by default
>> though it would appear. max_tcp is set to 8192 in the VRT conf as shown
>> above, however the 2.9.0.5 manual states:
>> --snip--
>> max_tcp<num sessions>  || Maximum simultaneous TCP sessions tracked. The
>> default is ”262144”, maximum is ”1048576”, minimum is ”1”.
>> --snip--
>>
>> What else is weird is that max_udp is missing in the config and therefor the
>> default value of 131072 would kick in, so the VRT config has you tracking a
>> lot more UDP sessions that TCP sessions with stream5. From the 2.9.0.5
>> manual:
>> --snip--
>> max_udp<num sessions>  || Maximum simultaneous UDP sessions tracked. The
>> default is ”131072”, maximum is ”1048576”, minimum is ”1”.
>> --snip--
>>
>> Not sure if this is by design or just an artifact from the previous
>> snort.conf's where this has been set to this value forever in recent memory.
>> Value does seem pretty low however.
>>
>>
>> I guess something more like:
>>
>> preprocessor stream5_global: track_tcp yes,\
>> track_udp yes,\
>> track_icmp no,\
>> max_active_responses 2,\
>> min_response_seconds 5
>>
>> Or:
>>
>> preprocessor stream5_global: track_tcp yes,\
>> max_tcp 262144,\
>> track_udp yes,\
>> max_udp 131072,\
>> track_icmp no,\
>> max_active_responses 2,\
>> min_response_seconds 5
>>
>> Thought this might be worthy of review/consideration for others.
>>
>> -- Eoin
>>
>>
>>
>
>
>




More information about the Snort-users mailing list