Re: memcap limit error

[Joel Esler <jesler () sourcefire com>]

On May 31, 2013, at 2:44 PM, "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov> wrote:

> I’m seeing the following error messages show up (/var/log/messages).
>  
> May 31 14:02:06 sysabc snort[10890]: S5: Pruned 5 sessions from cache for memcap. 812 ssns remain.  memcap: 
> 8386339/8388608
> May 31 14:02:06 sysabc snort[10890]: S5: Pruned 10 sessions from cache for memcap. 803 ssns remain.  memcap: 
> 8381933/8388608
>  
> I believe I need to increase the memcap setting, however, I am uncertain which entry in the config file(snort.conf)  
> needs to be increased.  It is unclear to me which one is causing the error.  Help please!
>  
>  
> Here are config file settings (all are at defaults) with memcap:
>  
> # DNP3 preprocessor. For more information see README.dnp3
> preprocessor dnp3: ports { 20000 } \
>    memcap 262144 \
>  
> # Reputation preprocessor. For more information see README.reputation
> preprocessor reputation: \
>    memcap 500, \
> preprocessor dcerpc2: memcap 102400, events [co ]

None of the above.

http://manual.snort.org/node17.html#SECTION00322000000000000000

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!