[Snort-users] "S5 pruned sessions from cache" messages

Martin Roesch roesch at ...1935...
Tue Apr 29 13:56:36 EDT 2008


It means that you haven't allocated enough memory to stream5's  
memcap.  Basically when it hits the memcap limit due to trying to  
track too many sessions at once you need to raise the memcap limit  
until you stop getting those notifications.  Try doubling it for  
starters and see what happens.

	-Marty


On Apr 29, 2008, at 1:52 PM, Joe S wrote:

> Correction: Running 2.8.1
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.1 (Build 28)  FreeBSD
>   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
>           (C) Copyright 1998-2008 Sourcefire Inc., et al.
>           Using PCRE version: 7.4 2007-09-21
>
>
> On Tue, Apr 29, 2008 at 10:50 AM, Joe S <js.lists at ...11827...> wrote:
>> I'm running Snort 2.8.0.1 on FreeBSD 7.0 (i386) and I'm getting tons
>> of messages like this:
>>
>> S5: Pruned 25 sessions from cache. 2870 ssns for memcap:  
>> 8387663/8388608
>> S5: Pruned 5 sessions from cache. 2877 ssns for memcap:  
>> 8235241/8388608
>> S5: Pruned 20 sessions from cache. 2964 ssns for memcap:  
>> 8388299/8388608
>> S5: Pruned 5 sessions from cache. 2959 ssns for memcap:  
>> 8388559/8388608
>> S5: Pruned 5 sessions from cache. 2954 ssns for memcap:  
>> 8387708/8388608
>> S5: Pruned 5 sessions from cache. 2947 ssns for memcap:  
>> 8387840/8388608
>> S5: Pruned 70 sessions from cache. 2877 ssns for memcap:  
>> 8387838/8388608
>> S5: Pruned 15 sessions from cache. 2862 ssns for memcap:  
>> 8388366/8388608
>> S5: Pruned 25 sessions from cache. 2837 ssns for memcap:  
>> 8388348/8388608
>> S5: Pruned 10 sessions from cache. 2827 ssns for memcap:  
>> 8388233/8388608
>> S5: Pruned 5 sessions from cache. 2822 ssns for memcap:  
>> 8387495/8388608
>> S5: Pruned 5 sessions from cache. 2817 ssns for memcap:  
>> 8360849/8388608
>> S5: Pruned 5 sessions from cache. 2826 ssns for memcap:  
>> 8388047/8388608
>> S5: Pruned 35 sessions from cache. 2793 ssns for memcap:  
>> 8387029/8388608
>>
>> I've searched the archives, but have not found anything.
>>
>> Why am I getting these messages?
>> What do they mean?
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save  
> $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080429/592926e8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080429/592926e8/attachment.sig>


More information about the Snort-users mailing list