Snort mailing list archives
RE: Snort max at 256 simultaneous TCP stream?
From: "Tom Fulton" <tfulton9909 () comcast net>
Date: Sat, 26 Jun 2004 10:45:37 -0700
I'm just trying to get a feel for how much a sensor can scale and when you may need to add other sensors on a given subnet -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tom Fulton Sent: Saturday, June 26, 2004 10:34 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort max at 256 simultaneous TCP stream? In the Snort Users Manual for 1.9.1 (2.4.6 Stream4; p. 35) it states that Stream4 "should" be able to scale to handle 32,768 simultaneous TCP connections in its default config. That this is better for the large scale users who need ".to track more than 256 simultaneous TCP streams". Is this bottleneck (256 max TCP streams) for snort often experienced in normal operation when not running Stream4? What happens when this max is reached? Packets just get dropped? Any alerts or errors by default? What is the recommended memcap size for a sensor expecting to reach the 32,768 simultaneous TCP connections? Thanks tom
Current thread:
- Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)
- RE: Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)
- Re: Snort max at 256 simultaneous TCP stream? Edin Dizdarevic (Jun 26)
- Re: Snort max at 256 simultaneous TCP stream? Martin Roesch (Jun 28)
- RE: Snort max at 256 simultaneous TCP stream? Tom Fulton (Jun 26)