Snort mailing list archives

Re: memcap maxed out

From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Mon, 22 Sep 2014 12:04:19 -0400

Did you ever get a response or an answer to this? I used to get these non-stop. My CPU was being taxed by the process 
though, averaging 80% utilization. Memory was only about 3GB out of 8GB though. So I always thought this was very odd.

Turns out after I went from an old HP ProLiant DL360 to a newer, but still old Cisco server (I don't have the model in 
front of me now), those messages disappeared. While the Cisco CPU is actually clocked slower, it only gets about 5% 
utilization. Go figure. I am told that it has to do with the CPU's Streaming SIMD Extensions (SSE) set being older on 
the HP (SSE2, I think). The newer SSE of the cisco (SSE3, I think) handles the same traffic from that tap (~20Mbps), 
plus traffic from another tap (~50Mbps) without batting an eye.


From: Sharif Uddin [mailto:Sharif.Uddin () spectrumasa com]
Sent: Tuesday, September 16, 2014 10:50 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] memcap maxed out

Hello

I have set stream5 as follows

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   memcap 1073741824, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, max_queued_segs 0, max_queued_bytes 0, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \


however I still get the following in logs. Is this normal?




Sep 16 15:45:00 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 137 ssns remain.  memcap: 
1073734853/1073741824
Sep 16 15:45:00 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 132 ssns remain.  memcap: 
1073733155/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 156 ssns remain.  memcap: 
1073728713/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 151 ssns remain.  memcap: 
1073737880/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 147 ssns remain.  memcap: 
1073739465/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 143 ssns remain.  memcap: 
1073739742/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 138 ssns remain.  memcap: 
1073739597/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 133 ssns remain.  memcap: 
1073739179/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 128 ssns remain.  memcap: 
1073739614/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 123 ssns remain.  memcap: 
1073740666/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned session from cache that was using 30689490 bytes (memcap/check). 
172.16.0.200 54138 --> 172.16.0.22 445 (0) : LWstate 0x40 LWFlags 0x422101
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 118 ssns remain.  memcap: 
1043016415/1073741824



Sharif Uddin
Development/Support Engineer
-------------------
Spectrum Geo Ltd
Dukes Court, Duke Street
Woking, Surrey
GU21 5BH
UNITED KINGDOM
Tel: +44 (0) 1483 730201
Fax: +44 (0) 1483 762620

www.spectrumasa.com<http://www.spectrumasa.com/>


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

memcap maxed out Sharif Uddin (Sep 16)
- Re: memcap maxed out Khanh Tran (Sep 16)
- Re: memcap maxed out Kurzawa, Kevin (Sep 22)
  - Re: memcap maxed out Sharif Uddin (Sep 22)
    - Re: memcap maxed out Khanh Tran (Sep 22)
    - Re: memcap maxed out Sharif Uddin (Sep 23)