Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Hello,
I do run a sg330 but the config is coming from a soft.appliance and since a while I get the message: S5: Session exceeded configured max bytes to queue
So I deciced to also double check the cc get ips num_instances first which was 0 (default) so I changed it to 4 followd by:
cc get ips num_instances
/var/mdw/scripts/snort restart unused
/var/mdw/scripts/snort status unsed
Further what is the recommended setting for cc set ips snortsettings max_queued_bytes for the sg330 ?
Thanks and Greets
Wir sind schon hier gewesen...
https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/98463/ips-num_instances-performance/357723
https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/79574/seeing-session-exceeded-configured-max-bytes-to-queue-in-ips-logs
Cheers - Bob
That's right ./ and yes, I do now fully understand the ips num_instances part But I do not fully get the logic with s max_queued_bytes:
ips num_instances
1. If I type /var/mdw/scripts/snort status or restart I get status UNUSED ?
2. What's the difference between
cc set ips snortsettings max_queued_bytes
and
cc set ips queue_length
3. Based on what or How to choose the right values ?
My guess is that queue length relates to all IPS activity, not just Snort and that it is the maximum number of items to process. My guess concerning max_queued_bytes is that it is the maximum size of an item that Snort can consider without breaking the item up and processing it piecemeal. I haven't seen these in any documentation, but I did follow this community when some developers posted answers occasionally, and those were the things I remember when "reading between the lines."
If you do find definitive answers, please come back here and share.
Thanks for the feedback!