[Snort-devel] Bug in stream5 global - prune_log_max <bytes>

elof at ...969... elof at ...969...
Wed Mar 13 08:42:35 EDT 2013


Hi!

Just wanted to report a bug.

The README.stream5 and manual states that setting 'prune_log_max' to 0 
should disable logging completely.
This is not the case. Instead I get LOTS of logs, for sessions that are 
using just a few bytes.
(the default if not specifying any 'prune_log_max' at all is to only log 
a message if a terminated session used more than 1 MB of data)



preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, 
max_tcp 262144, max_udp 131072, max_active_responses 2, 
min_response_seconds 5, prune_log_max 0, memcap 640578048

Result: My syslog spew out these lines at a high rate:

Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 33260 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 21758 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 65513 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40129 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 21872 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40402 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 41445 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 42689 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 6330 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 35536 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 57815 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 394 bytes (new data/timedout). x.x.x.x 13764 --> x.x.x.x 20380 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 396 bytes (new data/timedout). x.x.x.x 6907 --> x.x.x.x 20380 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 26381 bytes (new data/timedout). x.x.x.x 1009 --> x.x.x.x 48385 
(0) : LWstate 0x8f LWFlags 0x16007

/Elof




More information about the Snort-devel mailing list