Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Memcap issue

From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 23 Apr 2014 17:25:16 +0000
You need increase memcap to get rid of this. Lower max_tcp also helps.

Best,
Hui

From: Mnemonyss <mnemonyss () gmail com<mailto:mnemonyss () gmail com>>
Date: Wednesday, April 23, 2014 at 1:17 PM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Snort Memcap issue


I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of 
this output:
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain.  memcap: 
1073738736/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain.  memcap: 
1073736864/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain.  memcap: 
1073739717/1073741824


Version: Snort 2.9.6.0

Stream5 configuration:


# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
   max_tcp 25600, \
   memcap 1073741824, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 0


If I lower the max_tcp would it effectively lower the amount of sessions in memcap?

Please advise,

Alicia S.

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: