[Snort-users] Snort Memcap issue

Mnemonyss mnemonyss at ...11827...
Wed Apr 23 13:17:41 EDT 2014


I am continuing to see these and would like to know if there's some
alternate configuration I should try to get rid of this output:
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
memcap. 25595 ssns remain.  memcap: 1073738736/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
memcap. 25590 ssns remain.  memcap: 1073736864/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
memcap. 25585 ssns remain.  memcap: 1073739717/1073741824


Version: Snort 2.9.6.0

Stream5 configuration:


# Target-Based stateful inspection/stream reassembly.  For more inforation,
see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
   max_tcp 25600, \
   memcap 1073741824, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 0


If I lower the max_tcp would it effectively lower the amount of sessions in
memcap?

Please advise,

Alicia S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/e32ac2a3/attachment.html>


More information about the Snort-users mailing list