[Snort-users] Snort Memcap issue

Kurzawa, Kevin kkurzawa at ...16800...
Wed Apr 23 17:00:30 EDT 2014


Wouldn’t lowering the max_tcp reduce the amount of sessions stored in memory and therefore reduce the likelihood of being able to alert on actual intrusions since more sessions will likely go unmonitored?

If the memcap is maxed out, and sessions are being pruned, it seems that overall RAM would be the culprit, right? Reducing the sessions would, in a way, be manually snipping these sessions /before/ sessions are stored in memory instead of afterwards?

Maybe I’m not understanding how the sessions are stored and managed though.


From: Mnemonyss [mailto:mnemonyss at ...11827...]
Sent: Wednesday, April 23, 2014 1:52 PM
To: Hui Cao (huica)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Memcap issue

I have memcap set at it's max, so I lowered max_tcp and the messages stopped.

Thank you!
Alicia S.

On Wed, Apr 23, 2014 at 12:25 PM, Hui Cao (huica) <huica at ...589...<mailto:huica at ...589...>> wrote:
You need increase memcap to get rid of this. Lower max_tcp also helps.

Best,
Hui

From: Mnemonyss <mnemonyss at ...11827...<mailto:mnemonyss at ...11827...>>
Date: Wednesday, April 23, 2014 at 1:17 PM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] Snort Memcap issue


I am continuing to see these and would like to know if there's some alternate configuration I should try to get rid of this output:
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25595 ssns remain.  memcap: 1073738736/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25590 ssns remain.  memcap: 1073736864/1073741824
Apr 20 03:15:10 NIDS snort[2759]: S5: Pruned 5 sessions from cache for memcap. 25585 ssns remain.  memcap: 1073739717/1073741824

Version: Snort 2.9.6.0
Stream5 configuration:


# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
   max_tcp 25600, \
   memcap 1073741824, \
   max_active_responses 2, \
   min_response_seconds 5, \
   prune_log_max 0

If I lower the max_tcp would it effectively lower the amount of sessions in memcap?
Please advise,

Alicia S.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/d2d59ff5/attachment.html>


More information about the Snort-users mailing list