Joel,
I'd love to know myself. Nothing changed snort configuration-wise in
snort. My guess is someone started doing something funky on the
network. I can't put my finger on it. I see a lot of netbios traffic
with iptraf, so perhaps someone is copying tons of stuff, though i
have no idea what they'd be copying for the past 6 hours.
BTW, the packets/second count also went up from about 8K to 20K at the
same time.
I RTFM'ed and tried playing around with some of the new stream4
parameters. Currently i have it configured like so:
preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
67108864, self_preservation_threshold 3500, suspend_threshold 5000,
max_sessions 65536, timeout 20
No change, still dropping packets like crazy. Running Snort Version 2.4.2
I'd appreciate any help.
On 3/27/06, Joel Esler <joel.esler@sourcefire.com> wrote:
You say you went from 200 to about 3000? What changed? Please
provide more info if you could, we'd be glad to help.
J
On Mar 27, 2006, at 4:24 PM, sekure wrote:
Question:
I went from seeing around 200 stream flushes per second to about 3000.
Needless to say CPU spiked to 100% and snort is dropping upwards of
60% of packets.
I tried increasing the stream4 memcap from defaul 8MB to 128 MB with
no improvement in performance.
This is an Intel 2.8 Xeon with 1GB RAM which had no problems dealing
with ~80-90Mbps on an average basis.
Here is my relevant config:
preprocessor stream4: disable_evasion_alerts, detect_scans, memcap
134217728, timeout 60
preprocessor stream4_reassemble: both
While i hunt down the source of the problem, can someone answer my
questions:
Other than the stream timing out based on the timeout value, what else
would cause a stream to be flushed?
What can I do to enable snort to cope better with this?
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting
language
that extends applications into web and mobile media. Attend the
live webcast
and join the prime developer group breaking into this new coding
territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid�0944&bid$1720&dat�1642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
