Snort mailing list archives
Re: "S5 pruned sessions from cache" messages
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 29 Apr 2008 13:56:36 -0400
It means that you haven't allocated enough memory to stream5's memcap. Basically when it hits the memcap limit due to trying to track too many sessions at once you need to raise the memcap limit until you stop getting those notifications. Try doubling it for starters and see what happens.
-Marty
On Apr 29, 2008, at 1:52 PM, Joe S wrote:
Correction: Running 2.8.1 ,,_ -*> Snort! <*- o" )~ Version 2.8.1 (Build 28) FreeBSD '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2008 Sourcefire Inc., et al. Using PCRE version: 7.4 2007-09-21 On Tue, Apr 29, 2008 at 10:50 AM, Joe S <js.lists () gmail com> wrote:I'm running Snort 2.8.0.1 on FreeBSD 7.0 (i386) and I'm getting tons of messages like this:S5: Pruned 25 sessions from cache. 2870 ssns for memcap: 8387663/8388608 S5: Pruned 5 sessions from cache. 2877 ssns for memcap: 8235241/8388608 S5: Pruned 20 sessions from cache. 2964 ssns for memcap: 8388299/8388608 S5: Pruned 5 sessions from cache. 2959 ssns for memcap: 8388559/8388608 S5: Pruned 5 sessions from cache. 2954 ssns for memcap: 8387708/8388608 S5: Pruned 5 sessions from cache. 2947 ssns for memcap: 8387840/8388608 S5: Pruned 70 sessions from cache. 2877 ssns for memcap: 8387838/8388608 S5: Pruned 15 sessions from cache. 2862 ssns for memcap: 8388366/8388608 S5: Pruned 25 sessions from cache. 2837 ssns for memcap: 8388348/8388608 S5: Pruned 10 sessions from cache. 2827 ssns for memcap: 8388233/8388608 S5: Pruned 5 sessions from cache. 2822 ssns for memcap: 8387495/8388608 S5: Pruned 5 sessions from cache. 2817 ssns for memcap: 8360849/8388608 S5: Pruned 5 sessions from cache. 2826 ssns for memcap: 8388047/8388608 S5: Pruned 35 sessions from cache. 2793 ssns for memcap: 8387029/8388608I've searched the archives, but have not found anything. Why am I getting these messages? What do they mean?------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) ConferenceDon't miss this year's exciting event. There's still time to save $100.Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
Attachment:
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "S5 pruned sessions from cache" messages Joe S (Apr 29)
- Re: "S5 pruned sessions from cache" messages Joe S (Apr 29)
- Re: "S5 pruned sessions from cache" messages Martin Roesch (Apr 29)
- Re: "S5 pruned sessions from cache" messages Joe S (Apr 29)
- Re: "S5 pruned sessions from cache" messages Martin Roesch (Apr 29)
- Re: "S5 pruned sessions from cache" messages Joe S (Apr 29)