Snort mailing list archives
Re: S5: Session exceeded configured max bytes to queue
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 10 Jul 2012 12:31:21 -0400
On Tue, Jun 26, 2012 at 9:41 AM, Christian bzzzz <ha1l () hotmail com> wrote:
Hello Everyone, I recently compiled and installed snort 2.9.2.3 on two of our linux systems: Unfortunately I keep seeing these messages: S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). S5: Session exceeded configured max bytes to queue 1048576 using 1048872 bytes (client queue). The default stream5 configuration is of course not optimum. As I understand from README.stream5 it is possible to raise the memcap from default (8MB) to (1GB): memcap <bytes> - Memcap for TCP packet storage. The default is "8388608" (8MB), maximum is "1073741824" (1GB), minimum is "32768" (32KB). The memcap is course set to maximum. One of the machines is equipped with 72GB of RAM, but I guess that wont help anything since I can't raise the memcap further.
This is not a memcap issue. There is a separate limit on the number of bytes that stream5 will queue (max_queued_bytes) and on the number of segments queued (max_queued_segs). You can increase those numbers, however, 1 MB is a lot to queue. As the the queue grows, it can take longer to handle out of order segments and that results in increased latency and eventually drops. Do you know if you have asymmetric traffic? This is often caused by not seeing one side of the session. In that case, increasing max_queued_* won't help. Suggest capturing sessions based on IPs and ports in the "S5 exceeded" messages and seeing what is going on there.
I have tried many different things in order to tune it, unfortunately without success. This is the start up line: ./bin/snort -c etc/snort.conf --daq-dir=/localdisk1/lib/daq --daq afpacket --daq-mode passive --daq-var buffer_size_mb=3900 -i eth2 -b -l $livedatadir/livealert Any suggestions what to do? As a side note: interestingly on an ancient installation 2.8.4 (with Phil Woods mmap) these problems were not there. Also the performance of that old installation seemed to be clearly better than the performance of the current 2.9.2.3 installation (even though the HW where the 2.9.2.3 is installed, is superior to the 2.8.4 one) Thank you in advance, Christian ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: S5: Session exceeded configured max bytes to queue Russ Combs (Jul 10)