Snort mailing list archives

Re: /var/log/messages filling up

From: "Cynthia Leonard (cyleonar)" <cyleonar () cisco com>
Date: Tue, 19 May 2015 09:27:34 +0000

The fix is not available in 2.9.7.2 it may not be worth the build.

-Cynthia

From: test engineer [mailto:test12524 () gmail com]
Sent: Monday, May 18, 2015 8:39 PM
To: Cynthia Leonard (cyleonar)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] /var/log/messages filling up

Cynthia,
Thank you for your response.  I'm currently configured as such:
OS:  CentOS 6.5 minimal install
Snort: 2.9.6.2
snort.conf:  stream5-global:  memcap 1073741824  (maximum 1GB)
                                          prune_log_max 0   (thought this would disable these messages but it didn't)
                  stream5-tcp:  max_queued_bytes 0 (unlimited)
                                       max_queued_segs 0 (unlimited)
This seems to have helped slightly but still pruning sessions due to memcap.
I see SNORT 2.9.7.2 is now available.  Is it worth the time to rebuild?
Thanks again!

On Mon, May 18, 2015 at 6:22 AM, Cynthia Leonard (cyleonar) <cyleonar () cisco com<mailto:cyleonar () cisco com>> wrote:
Usually once the memcap reaches a certain limit, the sessions get pruned to free some memory. This message gets printed 
 when x number sessions are pruned and sometimes it can be quickly fill /var/log/messages.
This issue has been addressed in the upcoming version of snort 2.9.x.

Regards
Cynthia

From: test engineer [mailto:test12524 () gmail com<mailto:test12524 () gmail com>]
Sent: Wednesday, May 13, 2015 12:45 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] /var/log/messages filling up

Constant streaming of:

snort[2546]: S5: Pruned 10 sessions from cache for memcap. 1689 ssns remain.  memcap: 8376897/8388608
in the messages file.  Not sure what is causing it.  Suggestions?
Thank you!

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

/var/log/messages filling up test engineer (May 12)
- Re: /var/log/messages filling up Cynthia Leonard (cyleonar) (May 18)
  - Re: /var/log/messages filling up test engineer (May 18)
    - Re: /var/log/messages filling up Cynthia Leonard (cyleonar) (May 19)