Menu
▾
▴
Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3
|
From: Will M. <wil...@gm...> - 2006-01-19 13:25:22
|
Of cource it is due to your stream4 configuration you are creating an uber packet for every packet that you receive that is part of the corresponding stream. If you want to protect your systems against session splicing attacks in InlineMode() this is the price you pay.=20 If you don't care about session splicing turn it off. Regards, Will On 1/19/06, ni...@el... <ni...@el...> wrote: > Hi, list > following is my machine configuration > > Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC..= . > Memory:- 1GB > > The thing is after patching snort 2.3.3 with snort_inline patch... I have > 2 different configuration for Stream4 > > 1.) preprocessor stream4: disable_evasion_alerts > > In this case my CPU is less than 10 % for a set of traffic > > 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap > 134217728, timeout 3600, midstream_drop_alerts > > In this case my CPU hits 50% at specific intervals don't know interval is > random or some specific..... :) with same set of traffic.... > > Is it due to the inline modifications in stream4 ???? > > Regards, > Nishit Shah. > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi= les > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat= =3D121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
