Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Alert payloads not matching alert rules

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] Alert payloads not matching alert rules
Date: Mon, 27 Nov 2006 09:13:12 -0500 
No, I do not mean multiple instances of Snort overwriting each others memory.  
"its OWN memory".  I am talking about a single Snort process.  Then when you 
try and run 3 on the same box, you wind up trying to cram too much traffic in 
too small of a hole.

Plus there is no way to know how the Snort process is tuned.  Follow Marc's 
advice and use "zero_flushed_packets" within stream4.

J


On Thu, Nov 23, 2006 at 09:21:51AM +1300, it looks like Jason Haar sent me:

Joel Esler wrote:

Are you dropping any packets?  It seems that with 3 processes of Snort, on 
the same box, with only 2 Gigs of RAM trying to analyze that much traffic, 
you are probably dropping packets in addition to Snort overwriting its own 
memory.

  

Hi Joel

Can you explain what you mean by snort overwriting it's own memory? How
is that possible? I thought standard OS process separation would stop
that? (I am assuming you meant having >1 snort process leads to one
snort process "corrupting" another)

I also routinely run multiple snort instances - this comes as a bit of a
shock...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Alert payloads not matching alert rules, Joel Esler
Next by Date:  Re: [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?, Justin Heath
Previous by Thread:  Re: [Snort-users] Alert payloads not matching alert rules, Jason Haar
Next by Thread:  Re: [Snort-users] Alert payloads not matching alert rules, Marc Norton
Indexes:  [Date] [Thread] [Top] [All Lists]