Re: [Spam] Re: S5 prunes

["Lay, James" <james.lay () wincofoods com>]

> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Friday, September 30, 2011 6:56 AM
> To: Peter Bates
> Cc: snort-users () lists sourceforge net
> Subject: [Spam] Re: [Snort-users] S5 prunes
> Importance: Low
>
> Looks like you are reaching the max memcap in Stream5.  You can
increase
> this value in your snort.conf file.
>
> Joel

While we're at it, what's the difference between segments and bytes?

Sep 29 21:44:19 snort[31322]: S5: Session exceeded configured max segs
to queue 2621 using 2621 segs (server queue). 70.196.8.120 1079 -->
<ext_ip> 443 (0) : LWstate 0x9 LWFlags 0x6007

Sep 29 22:30:28 snort[31290]: S5: Session exceeded configured max bytes
to queue 1048576 using 1048817 bytes (server queue). <int_ip> 1134 -->
<int_ip> 445 (0) : LWstate 0x9 LWFlags 0x6007

And do I set that in global under max_tcp or memcap, or under tcp
small_segments?  Thanks all.

James

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!