[Snort-users] Fwd: Snort 'hangs'

Y M snort at ...15979...
Thu Apr 10 00:26:46 EDT 2014


>>Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)
 
As far as I understand, the above message is related to the max_queued_bytes of the S5 TCP configurations and not memcap:
 
http://manual.snort.org/node73.html (look for the 12th item in the table). What is different from what I have seen is the part that says "LWstate 0x1 LWFlags". Usually, this is represented in bytes.
 
YM
 
Date: Thu, 10 Apr 2014 13:13:02 +1200
From: conma293 at ...11827...
To: thopeter at ...589...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Fwd: Snort 'hangs'

im also going to think about reducing memcap back to default - may be putting too much resource on the VM; which has 4gb of the 8gb host RAM

On Thu, Apr 10, 2014 at 12:40 PM, Matheus Condi'ez <conma293 at ...11827...> wrote:



   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47) 

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team



           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 8.12 2011-01-15

           Using ZLIB version: 1.2.3.4






Just upgraded to community rules 2960 (with additional openSSL hearbeat rules from VRT for the boss - thankyou very much)






ive got one error here in full -->






S5: Session exceeded configured max segs to queue 2621 using 2621 segs (client queue)  <ip><port> --> <ip><port> (0): LWstate 0x9 LWFlags 0x406007





Also - it just crashed on me again, the other sensor is all go, hopefully the rules upgrade will fix this issue



On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter) <thopeter at ...589...> wrote:







Matheus,



I'm taking a look at the source code.



Do you know exactly which build of Snort you are running?



>> Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)



Is this the exact error message? Could you send me the complete message?



Thanks,
Tom Peters
Sourcefire Snort Development












From: conma293 <conma293 at ...11827...>

Date: Wednesday, April 9, 2014 1:15 AM

To: Snortusers <snort-users at lists.sourceforge.net>

Subject: [Snort-users] Fwd: Snort 'hangs'











Sent from my iPhone


Begin forwarded message:





From: "Matheus Condi'ez" <conma293 at ...11827...>

Date: 9 April 2014 4:17:49 PM NZST

To: snort-users at lists.sourceforge.net

Subject: Snort 'hangs'







I have Snort running as an Ubuntu VM on a fedora host in two seperate dev environments with differing levels of traffic - one predominantly smtp (low levels) one web (high levels).



Versions - 



Snort: v2.9.6
Barnyard2-1.13
DAQ: v2.0.2



Current ruleset is community rules 28th Mar






The sensor in the low traffic smtp environment runs smooth



The sensor in the other environment however...
Snort runs fine for 3~9days, it will then stop outputting U2's for Barnyard.  Upon attempting to kill the snort process under sudo and/or root it fails to actually kill the process.  Killing the barnyard2 process is fine, as is killing the snort process
 if it is still outputting unified2.



I often see the following outputs, which may or may not be related (almost certainly not by2) - 



Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)



Barnyard2:  'lonely packet'; WARNING database called with Event Type [7] (P)acket [0x0]



I am at a loss as what to do now as I seem to have to reboot the sensor to kill the snort process every couple of days or so.













------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/3c1b9630/attachment.html>


More information about the Snort-users mailing list