[Snort-users] S5: Session exceeded configured max bytes

Joel Esler jesler at ...1935...
Sun Dec 13 17:25:50 EST 2009

On Sun, Dec 13, 2009 at 4:35 PM, Jason Haar <Jason.Haar at ...294...>wrote:

>  Hi there
> Some of our snort- IDS systems are generating the following after
> they've been running for "a while" (hours or days - we haven't diagnosed it
> further)
> S5: Session exceeded configured max bytes to queue 1048576 using 1048641
> bytes (client queue).

I've seen this happen on very large file transfers, where one session, while
being reassembled, exceeds the queue length that is set in the snort.conf
(or by default, whichever one you've opted for).

> I think that refers to max_queued_bytes? Can someone explain how this queue
> can become full? I'm wondering if its related to network load? I'm guessing
> here, but is it lots of simultaneous tcp sessions leading to per-session
> queues growing - which means if more data is coming in that can be quickly
> dealt with, you end up with this queue being exceeded? What's the impact of
> increasing max_queued_bytes? More memory used of course, but (again,
> guessing) increasing could help you around bursts - but probably not around
> prolonged intense traffic flows? So if you don't have a burst problem, then
> that would imply your hardware isn't up to the load? (ie need more RAM
> and/or faster CPU, bus/whatever)

If this isn't happening very much, it might be just a "burst"/"freak
occurrence".  If this happens a lot, I would up the max_queued_bytes in
Stream5.  If you start dropping packets, you need more RAM.  (Or if you are
dropping packets now).

Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091213/6103f5ff/attachment.html>

More information about the Snort-users mailing list