Posted by user8446 on Nov 04, 2016; 12:52am
URL: https://itus.accessinnov.com/More-improvements-and-bugfixes-for-the-shield-tp1228p1236.html

Right off the bat I see you're hitting your memcap and max_queued_bytes. Each network is different depending on what's going across your wire (streaming, large files, etc.). I would bring then up some. Try this in your snort config:

..snip..

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp yes, \
   max_tcp 10000, \
   max_udp 10000, \
   memcap 10388608, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 3579067

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
   max_queued_bytes 3550531, \
   max_queued_segs 3621, \

..snip..