[Snort-devel] preprocessor stream5_global prune_log_max 0

elof at ...969... elof at ...969...
Mon Jan 25 05:39:16 EST 2016


This is a bump to inform you that the problem persists in snort 2.9.8.0.

I see that the source code has been altered in the sections that log the 
"S5: Session exceeded" messages, but apparently the bug was not fixed.

The manual still states:

prune_log_max <num bytes>

Print a message when a session terminates that was consuming more than the 
specified number of bytes. The default is "1048576" (1MB), minimum can be 
either "0" (disabled) or if not disabled the minimum is "1024" and maximum 
is "1073741824".



I set it to 0, but still get thousands of S5 lines in the syslog.

/Elof



On Fri, 27 Mar 2015, Victor Roemer wrote:

> Elof, I'm aware of changes to Snort which we've added new "config:"
> options to make Stream5 less noisy. I'll have to check but they should
> be in the next major release.
>
> ~Victor
>
> On 03/27/15 9:20, elof at ...969... wrote:
>>> Will this bug ever be fixed?
>>>
>>> See my initial report from 2 years ago, http://seclists.org/snort/2013/q1/952
>>> and the proposed solution by Gregory in http://seclists.org/snort/2013/q1/967
>>
>> I tried to mute the flood of prune-messages by setting prune_log_max to 1073741824, but it still spam my syslog. :(
>>
>> Perhaps you should review the logging mechanism? I think setting
>> prune_log_max to either 0 or the maximum value should disable the logging
>> completely.
>>
>>
>>
>>
>> I then tried an even higher value, to make it shut up, but then I get:
>>
>> snort[64286]: FATAL ERROR: snort.conf(178) => Invalid Prune Log Max.  Must be 0 (disabled) or between 1024 and 1073741824
>>
>>
>> So I revert back to filtering the spam in my syslog-conf instead. :-/
>>
>> /Elof
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list