S5: Session exceeded configured max bytes

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

Some of our snort-2.8.5.1 IDS systems are generating the following after
they've been running for "a while" (hours or days - we haven't diagnosed
it further)

S5: Session exceeded configured max bytes to queue 1048576 using 1048641
bytes (client queue).

I think that refers to max_queued_bytes? Can someone explain how this
queue can become full? I'm wondering if its related to network load? I'm
guessing here, but is it lots of simultaneous tcp sessions leading to
per-session queues growing - which means if more data is coming in that
can be quickly dealt with, you end up with this queue being exceeded?
What's the impact of increasing max_queued_bytes? More memory used of
course, but (again, guessing) increasing could help you around bursts -
but probably not around prolonged intense traffic flows? So if you don't
have a burst problem, then that would imply your hardware isn't up to
the load? (ie need more RAM and/or faster CPU, bus/whatever)

I hope my guesses are right there - otherwise it's a lot of blather
about nothing ;-)

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users