Argus Database.
Russell Fulton
r.fulton at auckland.ac.nz
Mon Mar 14 04:09:32 EST 2005
On Sun, 2005-03-13 at 20:44 -0800, Peter Van Epp wrote:
> The usual problem is a wide ranging port scan producing large numbers
> of single flows to different hosts. The index tends to blow up and while adding
> memory would help to some extent it is still possible to exhaust it (and doing
> the same to disk would be much harder as it can be much much larger easily).
> While the more memory trick would fix me for now, it wouldn't help someone
> like Eric with 5 or 10 times my traffic and a general solution would be more
> desirable.
the approach I have taken is to limit memory consumption is to check the
size of hashes before adding more addresses. So, if I am collecting
destinations for a particular source, I keep a count in a hash entry and
if the count exceeds the threshold I just increment the counter and
don't add the destination to the hash.
Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20050314/075237cb/attachment.bin>
More information about the argus
mailing list