Snort mailing list archives
Re: Maybe a problem with my bpf filters
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Thu, 29 Nov 2012 14:12:38 +0000
On Wed, Nov 28, 2012 at 1:36 PM, C. L. Martinez <carlopmart () gmail com> wrote:
On Wed, Nov 28, 2012 at 9:02 AM, C. L. Martinez <carlopmart () gmail com> wrote:Hi all, I am seeing a lot of messages like this after my snort sensor goes up: Nov 27 20:28:37 newfsbd snort[29761]: S5: Session exceeded configured max segs to queue 2621 using 2621 segs (client queue). 10.201.27.24 2627 --> 10.196.0.12 80 (0) : LWstate 0x9 LWFlags 0x406007 Nov 27 20:28:37 newfbsd snort[29761]: S5: Pruned session from cache that was using 4294826 bytes (closed normally). 10.201.27.24 2627 --> 10.196.0.12 80 (0) : LWstate 0x9 LWFla gs 0x60e007 Nov 27 20:30:45 newfbsd snort[29761]: S5: Pruned session from cache that was using 1966875 bytes (closed normally). 10.196.4.5 17842 --> 10.196.0.72 25 (0) : LWstate 0x9 LWFlag s 0x40e007 Nov 27 20:32:14 newfbsd snort[29761]: S5: Pruned session from cache that was using 3919030 bytes (closed normally). 10.201.27.24 2682 --> 10.196.0.12 80 (0) : LWstate 0x9 LWFla gs 0x40e007 Searching about this problem, some people points to a problem with stream5's configruation, but I think the problem is in my bpf config file. I have tried to increase memcap in stream5 config and setting to 0 max_queued_bytes param, without luck. For these reasons I think the problem is in the filter settings: snort only sees some portion of the stream (like Russ Combs says here http://marc.info/?l=snort-users&m=134193815409615&w=2) My actual bpf.conf filter is: not (tcp port 3310 or tcp port 3333 or tcp port 3600 or tcp port 3610 or tcp port 8000 or tcp port 8080 or tcp port 8100) or not (tcp portrange 50000-50010 or tcp portrange 51000-51010) Any idea??Sorry, complete bpf filter is: not (tcp port 80 or tcp port 81 or tcp port 82 or tcp port 1090 or tcp port 3200 or tcp port 3210 or tcp port 3300) or not (tcp port 3310 or tcp port 3333 or tcp port 3600 or tcp port 3610 or tcp port 8000 or tcp port 8080 or tcp port 8100) or not (tcp portrange 50000-50010 or tcp portrange 51000-51010)
Please any idea about this?? ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Maybe a problem with my bpf filters C. L. Martinez (Nov 28)
- Re: Maybe a problem with my bpf filters C. L. Martinez (Nov 28)
- Re: Maybe a problem with my bpf filters C. L. Martinez (Nov 29)
- Re: Maybe a problem with my bpf filters C. L. Martinez (Nov 28)