Re: [Snort-users] Snort max at 256 simultaneous TCP stream?
This is a discussion on Re: [Snort-users] Snort max at 256 simultaneous TCP stream? within the Snort forums, part of the System Security and Security Related category; Hi Tom, Stream4 can handle in excess of 1 million sessions if you have the RAM=20= to give it. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-28-2004
|
|||
|
|||
Re: [Snort-users] Snort max at 256 simultaneous TCP stream?
Hi Tom,
Stream4 can handle in excess of 1 million sessions if you have the RAM=20= to give it. The number of sessions you can track is limited by the=20 memcap that you provide to stream4. As a rule of thumb, figure about=20 1024 bytes of data to manage for each stream, so if you want to handle=20= a million streams you need to set the memcap to roughly a gigabyte. I=20= think the actual number is below 1024 bytes, but that's a good rule of=20= thumb. Snort's original stream reassembler had a hard limit of 256 sessions=20 when it was developed. Stream4 was written to address that limitation=20= and build a system that was robust and scalable. We've tested it here=20= at Sourcefire (and in the OSEC tests) at extremely high loads (1=20 million+ streams) and speeds (1Gbps+) and it seems to perform well=20 across the board if you give it sufficient resources. -Marty On Jun 26, 2004, at 1:33 PM, Tom Fulton wrote: > > > In the Snort Users Manual for 1.9.1 (2.4.6 Stream4; p. 35) it states=20= > that Stream4 "should" be able to scale to handle 32,768 simultaneous=20= > TCP connections in its default config.=A0 That this is better for the=20= > large scale users who need "=85to track more than 256 simultaneous TCP=20= > streams". > > Is this bottleneck (256 max TCP streams) for snort often experienced=20= > in normal operation when not running Stream4?=A0 What happens when = this=20 > max is reached?=A0 Packets just get dropped?=A0 Any alerts or errors = by=20 > default? > > What is the recommended memcap size for a sensor expecting to reach=20= > the 32,768 simultaneous TCP connections? > > =A0=A0 > > Thanks > > tom > --=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
