[Snort-users] Could not add event to decoderActionQ

elof at ...6680... elof at ...6680...
Wed Dec 17 04:56:17 EST 2014


No one have any answers to Q1 and Q2?

It is still happening even when upping the values to:
   config event_queue: max_queue 24 log 18 order_events content_length

...so the syslog-message doesn't seem to be related to this 
configuration.

/Elof


On Thu, 11 Dec 2014, elof at ...6680... wrote:

>
> Hi!
>
> After I updated all my sensors to snort 2.9.7.0, a few of them have
> started logging:
>
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event
> to decoderActionQ
> 2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop
> event to decoderActionQ
>
>
> I've been running snort for years, and this is the first time I see
> these. I wonder:
>
>
> Q1: What is this?
>
>
>
> I increased the line
> config event_queue: max_queue 8 log 5 order_events content_length
> to
> config event_queue: max_queue 16 log 12 order_events content_length
>
> ...but still get the syslog messages.
>
> Q2: Anyone know why?
>
>
> /Elof
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list