Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

does Snort ruleset contains signatures that splice across the sessions ?
I am using default ruleset of Snort 2.3.3

Regards,
Nishit Shah.

> Of cource it is due to your stream4 configuration you are creating an
> uber packet for every packet that you receive that is part of the
> corresponding stream.  If you want to protect your systems against
> session splicing attacks in InlineMode() this is the price you pay.
> If you don't  care about session splicing turn it off.
>
> Regards,
>
> Will
>
> On 1/19/06, ni...@el... <ni...@el...> wrote:
>> Hi, list
>>             following is my machine configuration
>>
>> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb
>> NIC...
>> Memory:- 1GB
>>
>> The thing is after patching snort 2.3.3 with snort_inline patch... I
>> have
>> 2 different configuration for Stream4
>>
>> 1.) preprocessor stream4: disable_evasion_alerts
>>
>> In this case my CPU is less than 10 % for a set of traffic
>>
>> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
>> 134217728, timeout 3600, midstream_drop_alerts
>>
>> In this case my CPU hits 50% at specific intervals don't know interval
>> is
>> random or some specific..... :) with same set of traffic....
>>
>> Is it due to the inline modifications in stream4 ????
>>
>> Regards,
>> Nishit Shah.
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>