[Snort-users] S5: Session exceeded configured max bytes to queue

Christian bzzzz ha1l at ...125...
Tue Jun 26 09:41:44 EDT 2012




Hello Everyone,

I recently compiled and installed snort 2.9.2.3 on two of our linux systems:

Unfortunately I keep seeing these messages:

S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). 
S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). 
S5: Session exceeded configured max bytes to queue 1048576 using 1048872 bytes (client queue). 

The default stream5 configuration is of course not optimum.

As I understand from  README.stream5 it is possible to raise the memcap from
default (8MB) to (1GB):
 
memcap <bytes>          - Memcap for TCP packet storage.  The default
                              is "8388608" (8MB), maximum is "1073741824" (1GB),
                              minimum is "32768" (32KB).

The memcap is course set to maximum.

One of the machines is equipped with 72GB of RAM, but I guess that wont
help anything since I can't raise the memcap further.

I have tried many different things in order to tune it, unfortunately without
success. 

This is the start up line:

./bin/snort  -c etc/snort.conf --daq-dir=/localdisk1/lib/daq --daq afpacket --daq-mode passive --daq-var buffer_size_mb=3900 -i eth2 -b -l $livedatadir/livealert

Any suggestions what to do?

As a side note: interestingly on an ancient installation 2.8.4 (with Phil Woods mmap) these
problems were not there. Also the performance of that old installation seemed
to be clearly better than the performance of the current 2.9.2.3 installation (even
though the HW where the 2.9.2.3 is installed, is superior to the 2.8.4 one) 

Thank you in advance,
Christian



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120626/9a918afd/attachment.html>


More information about the Snort-users mailing list