Snort mailing list archives
Re: Snort getting overloaded by http traffic:
From: "Imran William Smith" <iwsmith () mimos my>
Date: Wed, 26 Jun 2002 10:27:52 +0800
And is the buffering done by the kernel / libpcap (as implied by Keith), or does snort do the buffering? Does snort have the ability to buffer packets it is not yet ready to 'process'? Would this achieve anything? I think if you use the HUP signal to snort to dump statistics and rotate logfiles, it can drop some packets at this point. Can anybody clear up quite if / where buffering of packets occurs, and why 'more memory' is useful to an sensor box? Of course, if have MySQL on the same machine, you need memory, but that's probably a bad idea anyway. -- Imran William Smith Security Products Development Mimos Bhd, Malaysia ----- Original Message ----- From: "Jason Haar" <Jason.Haar () trimble co nz> To: <snort-users () lists sourceforge net> Sent: Wednesday, June 26, 2002 9:55 AM Subject: Re: [Snort-users] Snort getting overloaded by http traffic: | On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote: | > The amount of traffic that Snort is able to inspect has less to do with | > Snort and almost everything to do with the underlying operating system, IP | > stack, and (most importantly) available resources. If the operating system | > is short of resources (specifically RAM), then packets are going to be | > dropped by the kernel due to lack of buffer space and general congestion. | > As such, they will never be presented to Snort for inspection. | | [mutter, mutter Microsoft - how about some word wrapping!!!] | | Anyway, this comment about RAM - is that actually true? I mean, there's a | few areas where snort needs to swallow *some* RAM - to track state, etc - | but other than that it's not a big requirement.... | | The reason I ask is that I'm running snort under daemontools as a supervised | script, and one thing I've done is to tell it it can't grow above 20M as | that indicates a memory leak. So far snort appears to hang around 10M - so I | feel happy with that. | | Does snort ever need to grow to > 20Meg??? | | -- | Cheers | | Jason Haar | Information Security Manager, Trimble Navigation Ltd. | Phone: +64 3 9635 377 Fax: +64 3 9635 417 | PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 | | | ------------------------------------------------------- | This sf.net email is sponsored by: Jabber Inc. | Don't miss the IM event of the season | Special offer for OSDN members! | JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn | _______________________________________________ | Snort-users mailing list | Snort-users () lists sourceforge net | Go to this URL to change user options or unsubscribe: | https://lists.sourceforge.net/lists/listinfo/snort-users | Snort-users list archive: | http://www.geocrawler.com/redir-sf.php3?list=snort-users | ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- <Possible follow-ups>
- RE: Snort getting overloaded by http traffic: McCammon, Keith (Jun 25)
- Re: Snort getting overloaded by http traffic: hackerwacker (Jun 25)
- Re: Snort getting overloaded by http traffic: Jason Haar (Jun 25)
- Re: Snort getting overloaded by http traffic: Imran William Smith (Jun 25)
- RE: Snort getting overloaded by http traffic: Ashley Thomas (Jun 25)
- RE: Snort getting overloaded by http traffic: Matt Kettler (Jun 25)
- RE: Snort getting overloaded by http traffic: larosa, vjay (Jun 26)