[Snort-users] /var/log/messages filling up

Cynthia Leonard (cyleonar) cyleonar at ...589...
Tue May 19 05:27:34 EDT 2015


The fix is not available in 2.9.7.2 it may not be worth the build.

-Cynthia


From: test engineer [mailto:test12524 at ...11827...]
Sent: Monday, May 18, 2015 8:39 PM
To: Cynthia Leonard (cyleonar)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] /var/log/messages filling up

Cynthia,
Thank you for your response.  I'm currently configured as such:
OS:  CentOS 6.5 minimal install
Snort: 2.9.6.2
snort.conf:  stream5-global:  memcap 1073741824  (maximum 1GB)
                                          prune_log_max 0   (thought this would disable these messages but it didn't)
                  stream5-tcp:  max_queued_bytes 0 (unlimited)
                                       max_queued_segs 0 (unlimited)
This seems to have helped slightly but still pruning sessions due to memcap.
I see SNORT 2.9.7.2 is now available.  Is it worth the time to rebuild?
Thanks again!


On Mon, May 18, 2015 at 6:22 AM, Cynthia Leonard (cyleonar) <cyleonar at ...589...<mailto:cyleonar at ...589...>> wrote:
Usually once the memcap reaches a certain limit, the sessions get pruned to free some memory. This message gets printed  when x number sessions are pruned and sometimes it can be quickly fill /var/log/messages.
This issue has been addressed in the upcoming version of snort 2.9.x.

Regards
Cynthia




From: test engineer [mailto:test12524 at ...11827...<mailto:test12524 at ...11827...>]
Sent: Wednesday, May 13, 2015 12:45 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] /var/log/messages filling up

Constant streaming of:

snort[2546]: S5: Pruned 10 sessions from cache for memcap. 1689 ssns remain.  memcap: 8376897/8388608
in the messages file.  Not sure what is causing it.  Suggestions?
Thank you!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150519/a2b23887/attachment.html>


More information about the Snort-users mailing list