Snort mailing list archives
Re: Snort max at 256 simultaneous TCP stream?
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 28 Jun 2004 11:03:18 -0400
Hi Tom,Stream4 can handle in excess of 1 million sessions if you have the RAM to give it. The number of sessions you can track is limited by the memcap that you provide to stream4. As a rule of thumb, figure about 1024 bytes of data to manage for each stream, so if you want to handle a million streams you need to set the memcap to roughly a gigabyte. I think the actual number is below 1024 bytes, but that's a good rule of thumb.
Snort's original stream reassembler had a hard limit of 256 sessions when it was developed. Stream4 was written to address that limitation and build a system that was robust and scalable. We've tested it here at Sourcefire (and in the OSEC tests) at extremely high loads (1 million+ streams) and speeds (1Gbps+) and it seems to perform well across the board if you give it sufficient resources.
-Marty
On Jun 26, 2004, at 1:33 PM, Tom Fulton wrote:
In the Snort Users Manual for 1.9.1 (2.4.6 Stream4; p. 35) it states that Stream4 "should" be able to scale to handle 32,768 simultaneous TCP connections in its default config. That this is better for the large scale users who need "…to track more than 256 simultaneous TCP streams".Is this bottleneck (256 max TCP streams) for snort often experienced in normal operation when not running Stream4? What happens when this max is reached? Packets just get dropped? Any alerts or errors by default?What is the recommended memcap size for a sensor expecting to reach the 32,768 simultaneous TCP connections?Thanks tom
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)
- RE: Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)
- Re: Snort max at 256 simultaneous TCP stream? Edin Dizdarevic (Jun 26)
- Re: Snort max at 256 simultaneous TCP stream? Martin Roesch (Jun 28)
- RE: Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)