Snort mailing list archives
Bug in stream5 global - prune_log_max <bytes>
From: elof () sentor se
Date: Wed, 13 Mar 2013 13:42:35 +0100 (CET)
Hi! Just wanted to report a bug. The README.stream5 and manual states that setting 'prune_log_max' to 0 should disable logging completely. This is not the case. Instead I get LOTS of logs, for sessions that are using just a few bytes. (the default if not specifying any 'prune_log_max' at all is to only log a message if a terminated session used more than 1 MB of data) preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5, prune_log_max 0, memcap 640578048 Result: My syslog spew out these lines at a high rate: Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045 (0) : LWstate 0xc8 LWFlags 0x416107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 33260 --> x.x.x.x 32474 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 21758 --> x.x.x.x 32474 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 65513 --> x.x.x.x 32474 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40129 (0) : LWstate 0xc8 LWFlags 0x416107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 21872 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40402 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 778 bytes (new data/timedout). x.x.x.x 41445 --> x.x.x.x 32474 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 42689 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 6330 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 35536 (0) : LWstate 0xc8 LWFlags 0x416107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 57815 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 394 bytes (new data/timedout). x.x.x.x 13764 --> x.x.x.x 20380 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 396 bytes (new data/timedout). x.x.x.x 6907 --> x.x.x.x 20380 (0) : LWstate 0xc8 LWFlags 0x12107 Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that was using 26381 bytes (new data/timedout). x.x.x.x 1009 --> x.x.x.x 48385 (0) : LWstate 0x8f LWFlags 0x16007 /Elof ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Bug in stream5 global - prune_log_max <bytes> elof (Mar 13)
- <Possible follow-ups>
- Re: Bug in stream5 global - prune_log_max <bytes> Gregory S Thomas (Mar 13)
- Re: Bug in stream5 global - prune_log_max <bytes> Bhagya Bantwal (Mar 13)