Let us know your results!<div><br></div><div>J<br><div><br><div class="gmail_quote">On Wed, Mar 11, 2009 at 5:40 PM, Jefferson, Shawn <span dir="ltr"><<a href="mailto:Shawn.Jefferson@...14448...">Shawn.Jefferson@...391...4448...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">








<div lang="EN-CA" link="blue" vlink="blue">

<div>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">I figured so.  My SYN + ACK are almost a
single line on this sensor.  I’ll increase the limit and see what it does.</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue"> </span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">Thanks,</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">Shawn</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue"> </span></font></p>

<div>

<div align="center" style="text-align:center"><font size="3" face="Times New Roman"><span lang="EN-US" style="font-size:12.0pt">

<hr size="2" width="100%" align="center">

</span></font></div>

<p><b><font size="2" face="Tahoma"><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma;font-weight:bold">From:</span></font></b><font size="2" face="Tahoma"><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma">
<a href="mailto:jesler@...1935..." target="_blank">jesler@...1935...</a> [mailto:<a href="mailto:jesler@...1935..." target="_blank">jesler@...979...1935...</a>] <b><span style="font-weight:bold">On Behalf Of </span></b>Joel Esler<br>

<b><span style="font-weight:bold">Sent:</span></b> March 11, 2009 2:39 PM</span></font></p><font size="2" face="Tahoma"><div><div></div><div class="h5"><br>
<b><span style="font-weight:bold">To:</span></b> Jefferson, Shawn<br>
<b><span style="font-weight:bold">Cc:</span></b>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
<b><span style="font-weight:bold">Subject:</span></b> Re: [Snort-users] Getting
tuned finally!</div></div></font><p></p>

</div><div><div></div><div class="h5">

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt">Give it a try.  </span></font></p>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt">The reason I asked because if your sensor is outside the firewall, your
SYN and SYN-ACK count won't line up, eating sessions.  That's why I was
asking.</span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p style="margin-bottom:12.0pt"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">J</span></font></p>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt">On Wed, Mar 11, 2009 at 5:25 PM, Jefferson, Shawn <<a href="mailto:Shawn.Jefferson@...14448..." target="_blank">Shawn.Jefferson@...14448...</a>>
wrote:</span></font></p>

<div link="blue" vlink="blue">

<div>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">Hi,</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue"> </span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">The sensor is on the inside of the firewall, but it’s fairly
busy.</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue"> </span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue">Tracking more sessions sounds like a good thing… ? 
Should I bump this up and monitor the performance?</span></font></p>

<p><font size="3" color="blue" face="Arial"><span style="font-size:12.0pt;font-family:Arial;color:blue"> </span></font></p>

<div>

<div align="center" style="text-align:center"><font size="3" face="Times New Roman"><span lang="EN-US" style="font-size:12.0pt">

<hr size="2" width="100%" align="center">

</span></font></div>

<p><b><font size="2" face="Tahoma"><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma;font-weight:bold">From:</span></font></b><font size="2" face="Tahoma"><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma"> <a href="mailto:jesler@...1935..." target="_blank">jesler@...1935...</a>
[mailto:<a href="mailto:jesler@...1935..." target="_blank">jesler@...13703...35...</a>]
<b><span style="font-weight:bold">On Behalf Of </span></b>Joel Esler<br>
<b><span style="font-weight:bold">Sent:</span></b> March 11, 2009 2:19 PM<br>
<b><span style="font-weight:bold">To:</span></b> Jefferson, Shawn<br>
<b><span style="font-weight:bold">Cc:</span></b> <a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...2652...e.net</a><br>
<b><span style="font-weight:bold">Subject:</span></b> Re: [Snort-users] Getting
tuned finally!</span></font></p>

</div>

<div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt">If you
increase this number, obviously it will allow you to track more sessions.
 What is the placement of your sensor (inside or outside firewall?)</span></font></p>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p style="margin-bottom:12.0pt"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">J</span></font></p>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt">On Wed,
Mar 11, 2009 at 4:55 PM, Jefferson, Shawn <<a href="mailto:Shawn.Jefferson@...14448..." target="_blank">Shawn.Jefferson@...14448...</a>>
wrote:</span></font></p>

<div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">So
I think I’m finally getting my snort sensor tuned so that I am achieving a
balance between resources (not dropping any packets according to snorts.stats)
and having some of the EmergingThreats rulesets enabled.  I do have some
questions about the stream5 preprocessor though.</span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">I
noticed that I was getting “faults” occasionally, and subsequent messages in
the daemon.log about pruning sessions, so I increased the memcap limit until
these went away.  Is this a “correct” action to take?</span></font></p>

</div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial"> </span></font></p>

</div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">Also,
I noticed that my Open Sessions stats show open sessions to pretty much always
be equal to max sessions, which is set at 8192.  Should I be increasing
this, or is that normal behaviour?</span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">Thanks,</span></font></p>

</div>

<div>

<p><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">Shawn</span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

<div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"> </span></font></p>

</div>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><br>
------------------------------------------------------------------------------<br>
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are<br>
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and<br>
easily build your RIAs with Flex Builder, the Eclipse(TM)based development<br>
software that enables intelligent coding and step-through debugging.<br>
Download the free 60 day trial. <a href="http://p.sf.net/sfu/www-adobe-com" target="_blank">http://p.sf.net/sfu/www-adobe-com</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></span></font></p>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><br>
<br clear="all">
<br>
-- <br>
Joel Esler<br>
T: 302-223-5974 (-) Gtalk: <a href="mailto:jesler@...1935..." target="_blank">jesler@...1935...</a><br>
[m]</span></font></p>

</div>

</div>

</div>

</div>

</div>

</div>

<p><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><br>
<br clear="all">
<br>
-- <br>
Joel Esler<br>
T: 302-223-5974 (-) Gtalk: <a href="mailto:jesler@...1935..." target="_blank">jesler@...1935...</a><br>
[m]</span></font></p>

</div>

</div></div></div>

</div>


</blockquote></div><br><br clear="all"><br>-- <br>Joel Esler<br>T: 302-223-5974 (-) Gtalk: <a href="mailto:jesler@...1935...">jesler@...1935...</a><br>[m]<br>
</div></div>