Snort mailing list archives
Re: Snort Memcap issue
From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 23 Apr 2014 17:25:16 +0000
You need increase memcap to get rid of this. Lower max_tcp also helps. Best, Hui From: Mnemonyss <mnemonyss () gmail com<mailto:mnemonyss () gmail com>> Date: Wednesday, April 23, 2014 at 1:17 PM To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Snort Memcap issue I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of this output: Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain. memcap: 1073738736/1073741824 Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain. memcap: 1073736864/1073741824 Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain. memcap: 1073739717/1073741824 Version: Snort 2.9.6.0 Stream5 configuration: # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp no, \ track_icmp no, \ max_tcp 25600, \ memcap 1073741824, \ max_active_responses 2, \ min_response_seconds 5, \ prune_log_max 0 If I lower the max_tcp would it effectively lower the amount of sessions in memcap? Please advise, Alicia S.
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Hui Cao (huica) (Apr 23)
- Re: Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Kurzawa, Kevin (Apr 23)
- Re: Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Hui Cao (huica) (Apr 23)