This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - Performance question - snort status unused and max_queued_bytes ?

Hello,

I do run a sg330 but the config is coming from a soft.appliance and since a while I get the message: S5: Session exceeded configured max bytes to queue

So I deciced to also double check the cc get ips num_instances first which was 0 (default) so I changed it to 4 followd by:

/var/mdw/scripts/snort restart unused

/var/mdw/scripts/snort status unsed

Further what is the recommended setting for cc set ips snortsettings max_queued_bytes for the sg330 ?

Thanks and Greets

This thread was automatically locked due to age.

0 mfpck over 3 years ago

Add. I get the following erros as a bonus:

DynamicPlugin: Rule [3:13947] not enabled in configuration, rule will not be used.

WARNING: flowbits key 'file.jar' is checked but not ever set.

utm snort[28826]: FATAL ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue creation failed
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago

Wir sind schon hier gewesen...

https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/98463/ips-num_instances-performance/357723

https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/79574/seeing-session-exceeded-configured-max-bytes-to-queue-in-ips-logs

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mfpck over 3 years ago in reply to BAlfson

That's right ./ and yes, I do now fully understand the ips num_instances part But I do not fully get the logic with s max_queued_bytes:

1. If I type /var/mdw/scripts/snort status or restart I get status UNUSED ?

2. What's the difference between

cc set ips snortsettings max_queued_bytes

and

cc set ips queue_length

3. Based on what or How to choose the right values ?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to mfpck

My guess is that queue length relates to all IPS activity, not just Snort and that it is the maximum number of items to process. My guess concerning max_queued_bytes is that it is the maximum size of an item that Snort can consider without breaking the item up and processing it piecemeal. I haven't seen these in any documentation, but I did follow this community when some developers posted answers occasionally, and those were the things I remember when "reading between the lines."

If you do find definitive answers, please come back here and share.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mfpck over 3 years ago in reply to BAlfson

Thanks for the feedback!
Cancel
Vote Up 0 Vote Down

Cancel