Snort mailing list archives

Re: Snort Memcap issue

From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Wed, 23 Apr 2014 17:00:30 -0400

Wouldn’t lowering the max_tcp reduce the amount of sessions stored in memory and therefore reduce the likelihood of 
being able to alert on actual intrusions since more sessions will likely go unmonitored?

If the memcap is maxed out, and sessions are being pruned, it seems that overall RAM would be the culprit, right? 
Reducing the sessions would, in a way, be manually snipping these sessions /before/ sessions are stored in memory 
instead of afterwards?

Maybe I’m not understanding how the sessions are stored and managed though.


From: Mnemonyss [mailto:mnemonyss () gmail com]
Sent: Wednesday, April 23, 2014 1:52 PM
To: Hui Cao (huica)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Memcap issue

I have memcap set at it's max, so I lowered max_tcp and the messages stopped.

Thank you!
Alicia S.

On Wed, Apr 23, 2014 at 12:25 PM, Hui Cao (huica) <huica () cisco com<mailto:huica () cisco com>> wrote:
You need increase memcap to get rid of this. Lower max_tcp also helps.

Best,
Hui

From: Mnemonyss <mnemonyss () gmail com<mailto:mnemonyss () gmail com>>
Date: Wednesday, April 23, 2014 at 1:17 PM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Snort Memcap issue


I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of 
this output:
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain.  memcap: 
1073738736/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain.  memcap: 
1073736864/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain.  memcap: 
1073739717/1073741824

Version: Snort 2.9.6.0
Stream5 configuration:


# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
   max_tcp 25600, \
   memcap 1073741824, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 0

If I lower the max_tcp would it effectively lower the amount of sessions in memcap?
Please advise,

Alicia S.

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Memcap issue Mnemonyss (Apr 23)
- Re: Snort Memcap issue Hui Cao (huica) (Apr 23)
  - Re: Snort Memcap issue Mnemonyss (Apr 23)
    - Re: Snort Memcap issue Kurzawa, Kevin (Apr 23)