Snort mailing list archives
Re: Snort 2.6.1.3 ignoring stream4
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 5 Apr 2007 17:24:09 -0400
Paul, Just a question, we'll have to look at this more intensly, but try config detection: search-method ac-bnfa Joel On Thu, Apr 05, 2007 at 04:52:03PM -0400, it looks like Paul Melson sent me:
After upgrading from 2.6.0 to 2.6.1.3 Snort is using a much greater amount of CPU and memory. After looking at perfmonitor output, it seems to be maxing out at ~ 8K sessions pretty much 24/7 despite the following in snort.conf: preprocessor stream4: disable_evasion_alerts, server_inspect_limit 300, memcap 209715200, max_sessions 2048 It seems to be ignoring max_sessions and memcap both. Any body else run across this issue? It's causing the sensor to peak at around 20% packet loss during high traffic periods. Thanks, PaulM ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ Joel Esler Security Consultant gpg key: http://demo.sourcefire.com/jesler.pgp.key +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 05)
- Snort 2.6 working with Snortsam, Redhat and a Cisco ASA Lang, Robert (Apr 05)
- Re: Snort 2.6 working with Snortsam, Redhat and a Cisco ASA Paul Melson (Apr 05)
- Re: Snort 2.6 working with Snortsam, Redhat and a Cisco ASA Joel Esler (Apr 05)
- Re: Snort 2.6 working with Snortsam, Redhat and a Cisco ASA Paul Melson (Apr 05)
- Re: Snort 2.6.1.3 ignoring stream4 Adam Keeton (Apr 05)
- Re: Snort 2.6.1.3 ignoring stream4 Joel Esler (Apr 05)
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 06)
- Re: Snort 2.6.1.3 ignoring stream4 Joel Esler (Apr 06)
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 06)
- Re: Snort 2.6.1.3 ignoring stream4 Darryl Taylor (Apr 06)
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 07)
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 06)
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 16)
- Re: Snort 2.6.1.3 ignoring stream4 Frank Knobbe (Apr 18)
- Re: Snort 2.6.1.3 ignoring stream4 Justin Heath (Apr 18)
- Message not available
- Re: Snort 2.6.1.3 ignoring stream4 Paul Melson (Apr 19)
- Snort 2.6 working with Snortsam, Redhat and a Cisco ASA Lang, Robert (Apr 05)
- Re: Snort 2.6.1.3 ignoring stream4 Nigel Houghton (Apr 19)