[Snort-users] Fwd: Snort 'hangs'

Y M snort at ...15979...
Thu Apr 10 00:26:46 EDT 2014

>>Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)
As far as I understand, the above message is related to the max_queued_bytes of the S5 TCP configurations and not memcap:
http://manual.snort.org/node73.html (look for the 12th item in the table). What is different from what I have seen is the part that says "LWstate 0x1 LWFlags". Usually, this is represented in bytes.
Date: Thu, 10 Apr 2014 13:13:02 +1200
From: conma293 at ...11827...
To: thopeter at ...589...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Fwd: Snort 'hangs'

im also going to think about reducing memcap back to default - may be putting too much resource on the VM; which has 4gb of the 8gb host RAM

On Thu, Apr 10, 2014 at 12:40 PM, Matheus Condi'ez <conma293 at ...11827...> wrote:

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 47) 

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 8.12 2011-01-15

           Using ZLIB version:

Just upgraded to community rules 2960 (with additional openSSL hearbeat rules from VRT for the boss - thankyou very much)

ive got one error here in full -->

S5: Session exceeded configured max segs to queue 2621 using 2621 segs (client queue)  <ip><port> --> <ip><port> (0): LWstate 0x9 LWFlags 0x406007

Also - it just crashed on me again, the other sensor is all go, hopefully the rules upgrade will fix this issue

On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter) <thopeter at ...589...> wrote:


I'm taking a look at the source code.

Do you know exactly which build of Snort you are running?

>> Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)

Is this the exact error message? Could you send me the complete message?

Tom Peters
Sourcefire Snort Development

From: conma293 <conma293 at ...11827...>

Date: Wednesday, April 9, 2014 1:15 AM

To: Snortusers <snort-users at lists.sourceforge.net>

Subject: [Snort-users] Fwd: Snort 'hangs'

Sent from my iPhone

Begin forwarded message:

From: "Matheus Condi'ez" <conma293 at ...11827...>

Date: 9 April 2014 4:17:49 PM NZST

To: snort-users at lists.sourceforge.net

Subject: Snort 'hangs'

I have Snort running as an Ubuntu VM on a fedora host in two seperate dev environments with differing levels of traffic - one predominantly smtp (low levels) one web (high levels).

Versions - 

Snort: v2.9.6
DAQ: v2.0.2

Current ruleset is community rules 28th Mar

The sensor in the low traffic smtp environment runs smooth

The sensor in the other environment however...
Snort runs fine for 3~9days, it will then stop outputting U2's for Barnyard.  Upon attempting to kill the snort process under sudo and/or root it fails to actually kill the process.  Killing the barnyard2 process is fine, as is killing the snort process
 if it is still outputting unified2.

I often see the following outputs, which may or may not be related (almost certainly not by2) - 

Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)

Barnyard2:  'lonely packet'; WARNING database called with Event Type [7] (P)acket [0x0]

I am at a loss as what to do now as I seem to have to reboot the sensor to kill the snort process every couple of days or so.

Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/3c1b9630/attachment.html>

More information about the Snort-users mailing list