Snort mailing list archives
Re: Snort behaviour graphic.
From: Chris Green <cmg () sourcefire com>
Date: Wed, 10 Jul 2002 18:13:20 -0400
Emilio Mira <emial () alumni uv es> writes:
Hi Chris, My stream4 and frag2 configurations are by default in 1.8.7: preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor frag2 There are about 10,000 hosts in my network, and the kind of traffic ... ummm ... I'm monitorizing an University, so HTTP, FTP, p2p I think.
Yeah, I think you need to increase your stream4 memcap to 16777216 atleast.. I'd be interested in another graphic representating that again.
And, what did you mean with "I wouldn't be suprised if those times are when you are hitting a forced session prune."
Oh, when the state table for the conversation stuff gets full, it will go though and expire old nodes that are being unused. That can be a fairly expensive operation ( and maybe one worth investigating further ). -- Chris Green <cmg () sourcefire com> A good pun is its own reword. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort behaviour graphic. Emilio Mira (Jul 10)
- RE: Snort behaviour graphic. Ashley Thomas (Jul 10)
- RE: Snort behaviour graphic. Ashley Thomas (Jul 10)
- Re: Snort behaviour graphic. Chris Green (Jul 10)
- Re: Snort behaviour graphic. Emilio Mira (Jul 10)
- Re: Snort behaviour graphic. Chris Green (Jul 10)
- Re: Snort behaviour graphic. Emilio Mira (Jul 10)
- <Possible follow-ups>
- RE: Snort behaviour graphic. Emilio Mira Alfaro (Jul 10)