Re: preprocessor stream5_global prune_log_max 0

[elof () sentor se]

Doh! Never mind. My bad.

I had made changes to the startup script to dynamically replace the 
prune_log_max value with the maximum allowed value, so my test with 
value '0' never got tested since the 0 got overwritten at startup.

Now I have fixed the startup script not to mess with prune_log_max and S5 
is indeed not spamming the syslog any more.

Thanks. And sorry.

/Elof


On Mon, 25 Jan 2016, elof () sentor se wrote:

> This is a bump to inform you that the problem persists in snort 2.9.8.0.
>
> I see that the source code has been altered in the sections that log the
> "S5: Session exceeded" messages, but apparently the bug was not fixed.
>
> The manual still states:
>
> prune_log_max <num bytes>
>
> Print a message when a session terminates that was consuming more than the
> specified number of bytes. The default is "1048576" (1MB), minimum can be
> either "0" (disabled) or if not disabled the minimum is "1024" and maximum
> is "1073741824".
>
>
>
> I set it to 0, but still get thousands of S5 lines in the syslog.
>
> /Elof
>
>
>
> On Fri, 27 Mar 2015, Victor Roemer wrote:
>
> > Elof, I'm aware of changes to Snort which we've added new "config:"
> > options to make Stream5 less noisy. I'll have to check but they should
> > be in the next major release.
> >
> > ~Victor
> >
> > On 03/27/15 9:20, elof () sentor se wrote:
> > > > Will this bug ever be fixed?
> > > >
> > > > See my initial report from 2 years ago, http://seclists.org/snort/2013/q1/952
> > > > and the proposed solution by Gregory in http://seclists.org/snort/2013/q1/967
> > >
> > > I tried to mute the flood of prune-messages by setting prune_log_max to 1073741824, but it still spam my syslog. :(
> > >
> > > Perhaps you should review the logging mechanism? I think setting
> > > prune_log_max to either 0 or the maximum value should disable the logging
> > > completely.
> > >
> > >
> > >
> > >
> > > I then tried an even higher value, to make it shut up, but then I get:
> > >
> > > snort[64286]: FATAL ERROR: snort.conf(178) => Invalid Prune Log Max.  Must be 0 (disabled) or between 1024 and 
> > > 1073741824
> > >
> > >
> > > So I revert back to filtering the spam in my syslog-conf instead. :-/
> > >
> > > /Elof
> > >
> > > ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > > things parallel software development, from weekly thought leadership blogs to
> > > news, videos, case studies, tutorials and more. Take a look and join the
> > > conversation now. http://goparallel.sourceforge.net/
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > Archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > things parallel software development, from weekly thought leadership blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > Archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!