Snort mailing list archives
Re: Stream4 behavior
From: "Lorine Ruotolo" <lori.ruotolo () hotmail com>
Date: Tue, 28 Mar 2006 12:20:21 -0600
I usually take a number of small packet captures to get a footprint of the network and figure out what to disable and look for.
Then, I do things like disable the reassembly of any encryption or tunnel protocols since they are usually the most common to fragment while still being acceptable traffic.
From: sekure <sekure () gmail com> To: "Joel Esler" <joel.esler () sourcefire com> CC: "Snort Users" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Stream4 behavior Date: Tue, 28 Mar 2006 11:50:11 -0500 Joel, snorters Any ideas? Whatever was happening has subsided, and i am back to about 200 stream flushes/second and around 10K packets/sec. But i went looking through my perfmonitor graphs and i see short spikes in packets/sec, tied to spikes in stream flushes/second tied to cpu utilization nearing 100% and packets dropped all over the floor. Seems that nothing i do with stream4 parameters helps. Do you have any suggestions for me to try? Is there any guidance for configuring stream4 preprocessor, other than what's in the documentation? On 3/27/06, sekure <sekure () gmail com> wrote: > Joel, > > I'd love to know myself. Nothing changed snort configuration-wise in > snort. My guess is someone started doing something funky on the > network. I can't put my finger on it. I see a lot of netbios traffic > with iptraf, so perhaps someone is copying tons of stuff, though i > have no idea what they'd be copying for the past 6 hours. > > BTW, the packets/second count also went up from about 8K to 20K at the > same time. > > I RTFM'ed and tried playing around with some of the new stream4 > parameters. Currently i have it configured like so: > preprocessor stream4: disable_evasion_alerts, detect_scans, memcap > 67108864, self_preservation_threshold 3500, suspend_threshold 5000, > max_sessions 65536, timeout 20 >> No change, still dropping packets like crazy. Running Snort Version 2.4.2> > I'd appreciate any help. > > On 3/27/06, Joel Esler <joel.esler () sourcefire com> wrote: > > You say you went from 200 to about 3000? What changed? Please > > provide more info if you could, we'd be glad to help. > > > > J > > > > On Mar 27, 2006, at 4:24 PM, sekure wrote: > > > > > Question: > > >> > > I went from seeing around 200 stream flushes per second to about 3000.> > > Needless to say CPU spiked to 100% and snort is dropping upwards of > > > 60% of packets. > > > > > > I tried increasing the stream4 memcap from defaul 8MB to 128 MB with > > > no improvement in performance. > > > > > > This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing > > > with ~80-90Mbps on an average basis. > > > > > > Here is my relevant config: > > > preprocessor stream4: disable_evasion_alerts, detect_scans, memcap > > > 134217728, timeout 60 > > > preprocessor stream4_reassemble: both > > > > > > While i hunt down the source of the problem, can someone answer my > > > questions: > > >> > > Other than the stream timing out based on the timeout value, what else> > > would cause a stream to be flushed? > > > What can I do to enable snort to cope better with this? > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by xPML, a groundbreaking scripting > > > language > > > that extends applications into web and mobile media. Attend the > > > live webcast > > > and join the prime developer group breaking into this new coding > > > territory! > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting languagethat extends applications into web and mobile media. Attend the live webcastand join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior Joel Esler (Mar 27)
- Re: Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior sekure (Mar 28)
- Re: Stream4 behavior Lorine Ruotolo (Mar 28)
- Re: Stream4 behavior Jason Brvenik (Mar 28)
- Re: Stream4 behavior Matthew Watchinski (Mar 28)
- Re: Stream4 behavior sekure (Mar 27)
- Re: Stream4 behavior Joel Esler (Mar 27)