[Snort-devel] preprocessor stream5_global prune_log_max 0

elof at ...969... elof at ...969...
Mon Jan 25 07:09:06 EST 2016


Doh! Never mind. My bad.

I had made changes to the startup script to dynamically replace the 
prune_log_max value with the maximum allowed value, so my test with 
value '0' never got tested since the 0 got overwritten at startup.

Now I have fixed the startup script not to mess with prune_log_max and S5 
is indeed not spamming the syslog any more.

Thanks. And sorry.

/Elof


On Mon, 25 Jan 2016, elof at ...969... wrote:

>
> This is a bump to inform you that the problem persists in snort 2.9.8.0.
>
> I see that the source code has been altered in the sections that log the
> "S5: Session exceeded" messages, but apparently the bug was not fixed.
>
> The manual still states:
>
> prune_log_max <num bytes>
>
> Print a message when a session terminates that was consuming more than the
> specified number of bytes. The default is "1048576" (1MB), minimum can be
> either "0" (disabled) or if not disabled the minimum is "1024" and maximum
> is "1073741824".
>
>
>
> I set it to 0, but still get thousands of S5 lines in the syslog.
>
> /Elof
>
>
>
> On Fri, 27 Mar 2015, Victor Roemer wrote:
>
>> Elof, I'm aware of changes to Snort which we've added new "config:"
>> options to make Stream5 less noisy. I'll have to check but they should
>> be in the next major release.
>>
>> ~Victor
>>
>> On 03/27/15 9:20, elof at ...969... wrote:
>>>> Will this bug ever be fixed?
>>>>
>>>> See my initial report from 2 years ago, http://seclists.org/snort/2013/q1/952
>>>> and the proposed solution by Gregory in http://seclists.org/snort/2013/q1/967
>>>
>>> I tried to mute the flood of prune-messages by setting prune_log_max to 1073741824, but it still spam my syslog. :(
>>>
>>> Perhaps you should review the logging mechanism? I think setting
>>> prune_log_max to either 0 or the maximum value should disable the logging
>>> completely.
>>>
>>>
>>>
>>>
>>> I then tried an even higher value, to make it shut up, but then I get:
>>>
>>> snort[64286]: FATAL ERROR: snort.conf(178) => Invalid Prune Log Max.  Must be 0 (disabled) or between 1024 and 1073741824
>>>
>>>
>>> So I revert back to filtering the spam in my syslog-conf instead. :-/
>>>
>>> /Elof
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>>> things parallel software development, from weekly thought leadership blogs to
>>> news, videos, case studies, tutorials and more. Take a look and join the
>>> conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>




More information about the Snort-devel mailing list