[Snort-users] What is this I see?

Joel Esler jesler at ...1935...
Tue Sep 11 15:31:38 EDT 2012


Looks like you might want to up your stream5 settings (memcap, etc).  Check out README.stream5 in the doc/ directory of your tar ball.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 11, 2012, at 12:10 AM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:

> Can someone help me out- what is this that I see when Snort starts "commencing packet processing" :
> 
> S5: Session exceeded configured max bytes to queue 1048576 using 1049442 bytes (server queue). 172.16.100.107 61937 --> 180.190.148.148 80 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126802 bytes (stale/timeout). 172.16.4.155 1087 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x65e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049767 bytes (client queue). 172.16.5.144 1304 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1125451 bytes (closed normally). 172.16.5.144 1304 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Pruned session from cache that was using 1124810 bytes (stale/timeout). 172.16.4.165 1040 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Pruned session from cache that was using 1128510 bytes (stale/timeout). 172.16.105.13 1132 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x65e007
> S5: Pruned session from cache that was using 1122890 bytes (stale/timeout). 172.16.4.166 1066 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Pruned session from cache that was using 1127508 bytes (stale/timeout). 172.16.1.122 1039 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x65e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048622 bytes (client queue). 172.16.100.231 60670 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126006 bytes (closed normally). 172.16.100.231 60670 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048628 bytes (client queue). 172.16.100.231 65349 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1144168 bytes (stale/timeout). 172.16.100.231 65349 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049249 bytes (client queue). 172.16.100.113 1743 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1125953 bytes (closed normally). 172.16.100.113 1743 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049060 bytes (client queue). 172.16.100.231 54741 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126376 bytes (stale/timeout). 172.16.100.231 54741 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049006 bytes (client queue). 172.16.100.231 57288 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126254 bytes (closed normally). 172.16.100.231 57288 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048736 bytes (client queue). 172.16.100.231 58937 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1146044 bytes (stale/timeout). 172.16.100.231 58937 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049374 bytes (client queue). 172.16.100.231 60610 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126486 bytes (stale/timeout). 172.16.100.231 60610 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048952 bytes (client queue). 172.16.100.231 62333 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1126132 bytes (stale/timeout). 172.16.100.231 62333 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048946 bytes (client queue). 172.16.44.53 1312 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049107 bytes (client queue). 172.16.4.177 1116 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049195 bytes (client queue). 172.16.5.185 1089 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1136895 bytes (closed normally). 172.16.4.177 1116 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Pruned session from cache that was using 1127327 bytes (closed normally). 172.16.5.185 1089 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049205 bytes (client queue). 172.16.4.82 1048 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1125501 bytes (closed normally). 172.16.4.82 1048 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1048732 bytes (client queue). 172.16.4.183 1083 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049149 bytes (client queue). 172.16.5.170 1133 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1117965 bytes (closed normally). 172.16.5.170 1133 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049751 bytes (client queue). 172.16.5.217 1063 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1119179 bytes (closed normally). 172.16.5.217 1063 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049466 bytes (client queue). 172.16.1.46 1101 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> S5: Pruned session from cache that was using 1118010 bytes (closed normally). 172.16.1.46 1101 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x60e007
> S5: Pruned session from cache that was using 1118986 bytes (stale/timeout). 172.16.44.53 1312 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x616007
> S5: Session exceeded configured max bytes to queue 1048576 using 1049556 bytes (client queue). 172.16.2.25 1332 --> 172.16.100.223 8014 (0) : LWstate 0x9 LWFlags 0x406007
> 
> 
> Thanks...
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list