RE: [Snort-users] Snort max at 256 simultaneous TCP stream?

This is a multi-part message in MIME format.

------=_NextPart_000_0026_01C45B6A.B7C330A0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

I'm just trying to get a feel for how much a sensor can scale and when you
may need to add other sensors on a given subnet

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Tom Fulton
Sent: Saturday, June 26, 2004 10:34 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort max at 256 simultaneous TCP stream?




In the Snort Users Manual for 1.9.1 (2.4.6 Stream4; p. 35) it states that
Stream4 "should" be able to scale to handle 32,768 simultaneous TCP
connections in its default config. That this is better for the large scale
users who need ".to track more than 256 simultaneous TCP streams".

Is this bottleneck (256 max TCP streams) for snort often experienced in
normal operation when not running Stream4? What happens when this max is
reached? Packets just get dropped? Any alerts or errors by default?

What is the recommended memcap size for a sensor expecting to reach the
32,768 simultaneous TCP connections?



Thanks

tom


------=_NextPart_000_0026_01C45B6A.B7C330A0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D647124417-26062004><FONT face=3DArial color=3D#0000ff =
size=3D2>I'm=20
just trying to get a feel for how much a&nbsp;sensor can scale and when =
you may=20
need to add other sensors on a given subnet</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of =
</B>Tom=20
Fulton<BR><B>Sent:</B> Saturday, June 26, 2004 10:34 AM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] =
Snort max=20
at 256 simultaneous TCP stream?<BR><BR></FONT></DIV><!-- Converted =
from text/rtf format --><BR>
<P><FONT face=3DArial size=3D2>In the Snort Users Manual for 1.9.1 =
(2.4.6 Stream4;=20
p. 35) it states that Stream4 "should" be able to scale to handle =
32,768=20
simultaneous TCP connections in its default config.&nbsp; That this is =
better=20
for the large scale users who need "…to track more than 256 =
simultaneous TCP=20
streams".</FONT></P>
<P><FONT face=3DArial size=3D2>Is this bottleneck (256 max TCP =
streams) for snort=20
often experienced in normal operation when not running Stream4?&nbsp; =
What=20
happens when this max is reached?&nbsp; Packets just get =
dropped?&nbsp; Any=20
alerts or errors by default? </FONT></P>
<P><FONT face=3DArial size=3D2>What is the recommended memcap size for =
a sensor=20
expecting to reach the 32,768 simultaneous TCP connections?</FONT> =
</P>
<P><FONT face=3DArial size=3D2>&nbsp;&nbsp; </FONT></P>
<P><FONT face=3DArial size=3D2>Thanks</FONT> </P>
<P><FONT face=3DArial size=3D2>tom</FONT> =
</P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0026_01C45B6A.B7C330A0--



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users