[Snort-users] /var/log/messages filling up
Cynthia Leonard (cyleonar)
cyleonar at ...589...
Tue May 19 05:27:34 EDT 2015
The fix is not available in 220.127.116.11 it may not be worth the build.
From: test engineer [mailto:test12524 at ...11827...]
Sent: Monday, May 18, 2015 8:39 PM
To: Cynthia Leonard (cyleonar)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] /var/log/messages filling up
Thank you for your response. I'm currently configured as such:
OS: CentOS 6.5 minimal install
snort.conf: stream5-global: memcap 1073741824 (maximum 1GB)
prune_log_max 0 (thought this would disable these messages but it didn't)
stream5-tcp: max_queued_bytes 0 (unlimited)
max_queued_segs 0 (unlimited)
This seems to have helped slightly but still pruning sessions due to memcap.
I see SNORT 18.104.22.168 is now available. Is it worth the time to rebuild?
On Mon, May 18, 2015 at 6:22 AM, Cynthia Leonard (cyleonar) <cyleonar at ...589...<mailto:cyleonar at ...589...>> wrote:
Usually once the memcap reaches a certain limit, the sessions get pruned to free some memory. This message gets printed when x number sessions are pruned and sometimes it can be quickly fill /var/log/messages.
This issue has been addressed in the upcoming version of snort 2.9.x.
From: test engineer [mailto:test12524 at ...11827...<mailto:test12524 at ...11827...>]
Sent: Wednesday, May 13, 2015 12:45 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] /var/log/messages filling up
Constant streaming of:
snort: S5: Pruned 10 sessions from cache for memcap. 1689 ssns remain. memcap: 8376897/8388608
in the messages file. Not sure what is causing it. Suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users