Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 1434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - Performance question - snort status unused and max_queued_bytes ?

mfpck

Hello,

I do run a sg330 but the config is coming from a soft.appliance and since a while I get the message: S5: Session exceeded configured max bytes to queue

So I deciced to also double check the cc get ips num_instances first which was 0 (default) so I changed it to 4 followd by:

/var/mdw/scripts/snort restart unused

/var/mdw/scripts/snort status unsed 

Further what is the recommended setting for cc set ips snortsettings max_queued_bytes  for the sg330 ?

Thanks and Greets


                                                                                                                                                           



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    That's right ./ and yes, I do now fully understand the ips num_instances part But I do not fully get the logic with s max_queued_bytes:

    1. If I type /var/mdw/scripts/snort status or restart I get status UNUSED ?

    2. What's the difference between

    cc set ips snortsettings max_queued_bytes

    and

    cc set ips queue_length

    3. Based on what or How to choose the right values ?

  • 0 in reply to mfpck

    My guess is that queue length relates to all IPS activity, not just Snort and that it is the maximum number of items to process.  My guess concerning max_queued_bytes is that it is the maximum size of an item that Snort can consider without breaking the item up and processing it piecemeal.  I haven't seen these in any documentation, but I did follow this community when some developers posted answers occasionally, and those were the things I remember when "reading between the lines."

    If you do find definitive answers, please come back here and share.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for the feedback!

Unfiltered HTML