[Snort-users] Fwd: Snort 'hangs'

Tom Peters (thopeter) thopeter at ...589...
Fri Apr 11 17:22:22 EDT 2014


Matheus,

>> Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max @500MB)

This error message (which has segs and bytes versions) means a TCP connection exceeded the configured limit of unacked TCP data. It is common in environments where Snort is only seeing one direction of the connection. It does not mean you have a memory shortage.

It probably also has nothing to do with your problem.

I need more data to make any progress.

Please send your Snort config and your logging output. You don't need to wait for a failure to send logs.

What is the command line you use to start Snort?

What configuration parameters did you use to build Snort?

Do you use OpenAppID?

How long have you had this problem? What changed or have you always had it?

Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140411/ba6c4678/attachment.html>


More information about the Snort-users mailing list