Snort mailing list archives
Re: Stream5 error
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 7 Apr 2016 22:08:39 +0000
Please see the README.session file in the documentation: You may need to change this setting.
prune_log_max <bytes> - Print a message when a session terminates that
was consuming more than the specified number of
bytes. The default is "1048576" (1MB), minimum
can be either "0" (disabled) or if not disabled
the minimum is "1024" and maximum is "1073741824".
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
From: Al Lewis (allewi)
Sent: Thursday, April 07, 2016 3:15 PM
To: Dave Corsello; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Stream5 error
If you don’t have a config I would think that you are hitting one of these conditions from line 7201 in
“preprocessors/Stream6/snort_stream_tcp.c:”
7201 if (stream_session_config->prune_log_max && (TwoWayTraffic(tcpssn->scb) ||
s5TcpPolicy->log_asymmetric_traffic) && !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL))
7202 {
7203 LogMessage("S5: Session exceeded configured max bytes to queue %d "
7204 "using %d bytes (%s). %s %d --> %s %d "
Maybe you are hitting the max bytes configured for a session?
What does your stream preprocessor setup look like?
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Al Lewis (allewi)
Sent: Thursday, April 07, 2016 3:03 PM
To: Dave Corsello; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Stream5 error
Do you have a copy of your configuration that you can share?
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Dave Corsello [mailto:snort-users () wintertreemedia com]
Sent: Thursday, April 07, 2016 2:08 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Stream5 error
I'm getting a number of S5 errors like the following:
Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 -->
xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007
I typically have not seen this error. I'm not sure when it started. I'm concerned because in each case, the source
and destination IPs are identical to one another, and because in each case the address is a public address outside of
my network. Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration
changes can correct this?
Thanks,
Dave
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream5 error Dave Corsello (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- <Possible follow-ups>
- Fwd: Re: Stream5 error Dave Corsello (Apr 08)
- Re: Fwd: Re: Stream5 error Cloherty, Sean E (Apr 11)
- Re: Fwd: Re: Stream5 error Al Lewis (allewi) (Apr 11)
- Re: Fwd: Re: Stream5 error Cloherty, Sean E (Apr 11)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)