[Snort-users] Snort Memcap issue

Mnemonyss mnemonyss at ...11827...
Wed Apr 23 13:51:48 EDT 2014


I have memcap set at it's max, so I lowered max_tcp and the messages
stopped.

Thank you!

Alicia S.


On Wed, Apr 23, 2014 at 12:25 PM, Hui Cao (huica) <huica at ...589...> wrote:

>  You need increase memcap to get rid of this. Lower max_tcp also helps.
>
>  Best,
> Hui
>
>   From: Mnemonyss <mnemonyss at ...11827...>
> Date: Wednesday, April 23, 2014 at 1:17 PM
> To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Subject: [Snort-users] Snort Memcap issue
>
>
>  I am continuing to see these and would like to know if there's some
> alternate configuration I should try to get rid of this output:
> Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
> memcap. 25595 ssns remain.  memcap: 1073738736/1073741824
> Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
> memcap. 25590 ssns remain.  memcap: 1073736864/1073741824
> Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for
> memcap. 25585 ssns remain.  memcap: 1073739717/1073741824
>
>
>  Version: Snort 2.9.6.0
>
>  Stream5 configuration:
>
>
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5
> preprocessor stream5_global: track_tcp yes, \
>    track_udp no, \
>    track_icmp no, \
>    max_tcp 25600, \
>    memcap 1073741824, \
>    max_active_responses 2, \
>    min_response_seconds 5, \
>    prune_log_max 0
>
>
>  If I lower the max_tcp would it effectively lower the amount of sessions
> in memcap?
>
>  Please advise,
>
> Alicia S.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/d0682df7/attachment.html>


More information about the Snort-users mailing list