Re: Stream5 Reassembly ports

[waldo kitty <wkitty42 () windstream net>]

On 5/27/2014 5:15 AM, NIDS TEAM wrote:
> Hi again
>
> Does anybody know why I am getting this sort of log messages:

yep! read your config...

> snort[11777]: S5: Session exceeded configured max bytes to queue 2097152 using
> 2097254 bytes (client queue). 10.0.0.12 61326 --> 10.0.0.13 3299 (0) : LWstate
> 0x40 LWFlags 0x2102
>
> With the following Stream5 configuration:
>
> preprocessor stream5_global: track_tcp yes, \
>                               track_udp yes, \
>                               track_icmp no, \
>                               max_tcp 65536, \
>                               max_udp 65536, \
>                               memcap 536870912
> preprocessor stream5_tcp: policy windows, \
>                            timeout 60, \
>                            max_queued_bytes 2097152, \

cause: this value, max_queued_bytes, is the setting and the session tried to 
load more than this value...

solution: increase this value...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!