| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] VRT stream5 Preprocessor Config vs Default Settings
From: Eoin Miller <eoin.miller_at_nospam>Date: Tue May 17 2011 - 18:00:56 GMT
To: snort-users <snort-users@lists.sourceforge.net>
On 4/28/2011 9:20 PM, Eoin Miller wrote:
> VRT supplied snort.conf file that comes with 2.9.0.4 as of today
> contains this line:
>
> ---snip---
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
> yes, track_icmp no max_active_responses 2 min_response_seconds 5
> ^ ^
> |---missing commas?----|
> ---snip---
>
> I guess it still loads it with these options? If not it should look
> like (separated by line to make easier to read in the email threads):
>
> preprocessor stream5_global: max_tcp 8192,\
> track_tcp yes,\
> track_udp yes,\
> track_icmp no,\
> max_active_responses 2,\
> min_response_seconds 5
>
> Some of those settings are even less than what is turned on by default
> though it would appear. max_tcp is set to 8192 in the VRT conf as
> shown above, however the 2.9.0.5 manual states:
> --snip--
> max_tcp <num sessions> || Maximum simultaneous TCP sessions tracked.
> The default is ”262144”, maximum is ”1048576”, minimum is ”1”.
> --snip--
>
> What else is weird is that max_udp is missing in the config and
> therefor the default value of 131072 would kick in, so the VRT config
> has you tracking a lot more UDP sessions that TCP sessions with
> stream5. From the 2.9.0.5 manual:
> --snip--
> max_udp <num sessions> || Maximum simultaneous UDP sessions tracked.
> The default is ”131072”, maximum is ”1048576”, minimum is ”1”.
> --snip--
>
> Not sure if this is by design or just an artifact from the previous
> snort.conf's where this has been set to this value forever in recent
> memory. Value does seem pretty low however.
>
>
> I guess something more like:
>
> preprocessor stream5_global: track_tcp yes,\
> track_udp yes,\
> track_icmp no,\
> max_active_responses 2,\
> min_response_seconds 5
>
> Or:
>
> preprocessor stream5_global: track_tcp yes,\
> max_tcp 262144,\
> track_udp yes,\
> max_udp 131072,\
> track_icmp no,\
> max_active_responses 2,\
> min_response_seconds 5
>
> Thought this might be worthy of review/consideration for others.
>
> -- Eoin
>
>
Noticed after updating this to use the default settings for the max_tcp,
the Snort process generates tons of alerts about pruning 5 sessions at a
time due to memcap limitations. If you up the number of sessions tracked
from 8192 to the default 262144, you need to increase memcap from the
default 8MB. I tried tripling it and it seems to be working ok. I put
this in my stream5_global variable list:
memcap 33554432
-- Eoin
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users