[Snort-users] Snort Memcap issue

Hui Cao (huica) huica at ...589...
Wed Apr 23 13:25:16 EDT 2014


You need increase memcap to get rid of this. Lower max_tcp also helps.

Best,
Hui

From: Mnemonyss <mnemonyss at ...11827...<mailto:mnemonyss at ...11827...>>
Date: Wednesday, April 23, 2014 at 1:17 PM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] Snort Memcap issue


I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of this output:
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain.  memcap: 1073738736/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain.  memcap: 1073736864/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain.  memcap: 1073739717/1073741824


Version: Snort 2.9.6.0

Stream5 configuration:


# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
   max_tcp 25600, \
   memcap 1073741824, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 0


If I lower the max_tcp would it effectively lower the amount of sessions in memcap?

Please advise,

Alicia S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/b9c9e000/attachment.html>


More information about the Snort-users mailing list