I do run a sg330 but the config is coming from a soft.appliance and since a while I get the message: S5: Session exceeded configured max bytes to queue
So I deciced to also double check the cc get ips num_instances first which was 0 (default) so I changed it to 4 followd by:
cc get ips num_instances
/var/mdw/scripts/snort restart unused
/var/mdw/scripts/snort status unsed
Further what is the recommended setting for cc set ips snortsettings max_queued_bytes for the sg330 ?
Thanks and Greets
Add. I get the following erros as a bonus:
DynamicPlugin: Rule [3:13947] not enabled in configuration, rule will not be used.
WARNING: flowbits key 'file.jar' is checked but not ever set.
Wir sind schon hier gewesen...
Cheers - Bob
That's right ./ and yes, I do now fully understand the ips num_instances part But I do not fully get the logic with s max_queued_bytes:
1. If I type /var/mdw/scripts/snort status or restart I get status UNUSED ?
2. What's the difference between
cc set ips snortsettings max_queued_bytes
cc set ips queue_length
3. Based on what or How to choose the right values ?
My guess is that queue length relates to all IPS activity, not just Snort and that it is the maximum number of items to process. My guess concerning max_queued_bytes is that it is the maximum size of an item that Snort can consider without breaking the item up and processing it piecemeal. I haven't seen these in any documentation, but I did follow this community when some developers posted answers occasionally, and those were the things I remember when "reading between the lines."
If you do find definitive answers, please come back here and share.
Thanks for the feedback!