Argus memory issues
Russell Fulton
r.fulton at auckland.ac.nz
Mon Aug 20 19:03:32 EDT 2007
Carter Bullard wrote:
> Hey Peter,
> Oh lets adjust the timeout values, with all things back as you would
> normally run them. The goal here is to understand if your just churning
> through a lot of very short lived flows? The current timeouts are pretty
> long (30 secs) and so if your getting 200K flows per second of low volume
> flows, then this should bring you back into a healthy range.
>
> If this is useful, then the workaround is very easy, as I can
> put in the logic to give flows with (pkts < 3) a zero timeout value,
> which
> should get your memory back. That is a much easier fix than to enforce
> a small memory foot print.
>
> So in this strategy, argus would hold any flow for the status interval,
> hopefully that is a low number (5 secs is good, as 90% of flows live
> less than 2.5 seconds), and then for low volume flows, we immediately
> deallocate the flow cache.
This sounds most sensible. I'll try cutting the timeout values and see
what happens.
Hmmmm... one thing that we are seeing now is *lots* of ssh brute force
attacks, tens of thousands of short (5-10 pkt) tcp flows I wonder if
that is what has tipped us over the edge? The attacks are, of course
accompanied by very fast scans of our class B.
Russell.
More information about the argus
mailing list