Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

IPS - Performance question - snort status unused and max_queued_bytes ?

Hello,

I do run a sg330 but the config is coming from a soft.appliance and since a while I get the message: S5: Session exceeded configured max bytes to queue

So I deciced to also double check the cc get ips num_instances first which was 0 (default) so I changed it to 4 followd by:

/var/mdw/scripts/snort restart unused

/var/mdw/scripts/snort status unsed 

Further what is the recommended setting for cc set ips snortsettings max_queued_bytes  for the sg330 ?

Thanks and Greets


                                                                                                                                                           

Parents Reply Children
  • That's right ./ and yes, I do now fully understand the ips num_instances part But I do not fully get the logic with s max_queued_bytes:

    1. If I type /var/mdw/scripts/snort status or restart I get status UNUSED ?

    2. What's the difference between

    cc set ips snortsettings max_queued_bytes

    and

    cc set ips queue_length

    3. Based on what or How to choose the right values ?

  • My guess is that queue length relates to all IPS activity, not just Snort and that it is the maximum number of items to process.  My guess concerning max_queued_bytes is that it is the maximum size of an item that Snort can consider without breaking the item up and processing it piecemeal.  I haven't seen these in any documentation, but I did follow this community when some developers posted answers occasionally, and those were the things I remember when "reading between the lines."

    If you do find definitive answers, please come back here and share.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA