[Snort-users] Snort max at 256 simultaneous TCP stream?
This is a discussion on [Snort-users] Snort max at 256 simultaneous TCP stream? within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C45B69.12451EF0 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-26-2004
|
|||
|
|||
[Snort-users] Snort max at 256 simultaneous TCP stream?
This is a multi-part message in MIME format.
------=_NextPart_000_001F_01C45B69.12451EF0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In the Snort Users Manual for 1.9.1 (2.4.6 Stream4; p. 35) it states that Stream4 "should" be able to scale to handle 32,768 simultaneous TCP connections in its default config. That this is better for the large scale users who need ".to track more than 256 simultaneous TCP streams". Is this bottleneck (256 max TCP streams) for snort often experienced in normal operation when not running Stream4? What happens when this max is reached? Packets just get dropped? Any alerts or errors by default? What is the recommended memcap size for a sensor expecting to reach the 32,768 simultaneous TCP connections? Thanks tom ------=_NextPart_000_001F_01C45B69.12451EF0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.4630.0"> <TITLE>Snort max at 256 simultaneous TCP stream?</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <BR> <P><FONT SIZE=3D2 FACE=3D"Arial">In the Snort Users Manual for 1.9.1 = (2.4.6 Stream4; p. 35) it states that Stream4 "should" be able = to scale to handle 32,768 simultaneous TCP connections in its default = config. That this is better for the large scale users who need = "…to track more than 256 simultaneous TCP = streams".</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Is this bottleneck (256 max TCP = streams) for snort often experienced in normal operation when not = running Stream4? What happens when this max is reached? = Packets just get dropped? Any alerts or errors by default? = </FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">What is the recommended memcap size for = a sensor expecting to reach the 32,768 simultaneous TCP = connections?</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial"> </FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">tom</FONT> </P> </BODY> </HTML> ------=_NextPart_000_001F_01C45B69.12451EF0-- ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
