Snort mailing list archives
Re: preprocessor stream5_global prune_log_max 0
From: elof () sentor se
Date: Mon, 25 Jan 2016 13:09:06 +0100 (CET)
Doh! Never mind. My bad. I had made changes to the startup script to dynamically replace the prune_log_max value with the maximum allowed value, so my test with value '0' never got tested since the 0 got overwritten at startup. Now I have fixed the startup script not to mess with prune_log_max and S5 is indeed not spamming the syslog any more. Thanks. And sorry. /Elof On Mon, 25 Jan 2016, elof () sentor se wrote:
This is a bump to inform you that the problem persists in snort 2.9.8.0. I see that the source code has been altered in the sections that log the "S5: Session exceeded" messages, but apparently the bug was not fixed. The manual still states: prune_log_max <num bytes> Print a message when a session terminates that was consuming more than the specified number of bytes. The default is "1048576" (1MB), minimum can be either "0" (disabled) or if not disabled the minimum is "1024" and maximum is "1073741824". I set it to 0, but still get thousands of S5 lines in the syslog. /Elof On Fri, 27 Mar 2015, Victor Roemer wrote:Elof, I'm aware of changes to Snort which we've added new "config:" options to make Stream5 less noisy. I'll have to check but they should be in the next major release. ~Victor On 03/27/15 9:20, elof () sentor se wrote:Will this bug ever be fixed? See my initial report from 2 years ago, http://seclists.org/snort/2013/q1/952 and the proposed solution by Gregory in http://seclists.org/snort/2013/q1/967I tried to mute the flood of prune-messages by setting prune_log_max to 1073741824, but it still spam my syslog. :( Perhaps you should review the logging mechanism? I think setting prune_log_max to either 0 or the maximum value should disable the logging completely. I then tried an even higher value, to make it shut up, but then I get: snort[64286]: FATAL ERROR: snort.conf(178) => Invalid Prune Log Max. Must be 0 (disabled) or between 1024 and 1073741824 So I revert back to filtering the spam in my syslog-conf instead. :-/ /Elof ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: preprocessor stream5_global prune_log_max 0 elof (Jan 25)
- Re: preprocessor stream5_global prune_log_max 0 elof (Jan 25)