[Snort-users] /var/log/messages filling up

test engineer test12524 at ...11827...
Mon May 18 11:09:20 EDT 2015


Cynthia,

Thank you for your response.  I'm currently configured as such:

OS:  CentOS 6.5 minimal install
Snort: 2.9.6.2
snort.conf:  stream5-global:  memcap 1073741824  (maximum 1GB)
                                          prune_log_max 0   (thought this
would disable these messages but it didn't)

                  stream5-tcp:  max_queued_bytes 0 (unlimited)
                                       max_queued_segs 0 (unlimited)

This seems to have helped slightly but still pruning sessions due to memcap.

I see SNORT 2.9.7.2 is now available.  Is it worth the time to rebuild?

Thanks again!


On Mon, May 18, 2015 at 6:22 AM, Cynthia Leonard (cyleonar) <
cyleonar at ...589...> wrote:

>  Usually once the memcap reaches a certain limit, the sessions get pruned
> to free some memory. This message gets printed  when x number sessions are
> pruned and sometimes it can be quickly fill /var/log/messages.
>
> This issue has been addressed in the upcoming version of snort 2.9.x.
>
>
>
> Regards
>
> Cynthia
>
>
>
>
>
>
>
>
>
> *From:* test engineer [mailto:test12524 at ...11827...]
> *Sent:* Wednesday, May 13, 2015 12:45 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] /var/log/messages filling up
>
>
>
> Constant streaming of:
>
> snort[2546]: S5: Pruned 10 sessions from cache for memcap. 1689 ssns
> remain.  memcap: 8376897/8388608
>
> in the messages file.  Not sure what is causing it.  Suggestions?
>
> Thank you!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150518/0583bd2f/attachment.html>


More information about the Snort-users mailing list