[Snort-users] Stream5 error

Al Lewis (allewi) allewi at ...589...
Thu Apr 7 18:08:39 EDT 2016


Please see the README.session file in the documentation: You may need to change this setting.

prune_log_max <bytes>   - Print a message when a session terminates that
                              was consuming more than the specified number of
                              bytes.  The default is "1048576" (1MB), minimum
                              can be either "0" (disabled) or if not disabled
                                          the minimum is "1024" and maximum is "1073741824".


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Al Lewis (allewi)
Sent: Thursday, April 07, 2016 3:15 PM
To: Dave Corsello; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Stream5 error

If you don’t have a config I would think that you are hitting one of these conditions from line 7201 in “preprocessors/Stream6/snort_stream_tcp.c:”


7201         if (stream_session_config->prune_log_max && (TwoWayTraffic(tcpssn->scb) || s5TcpPolicy->log_asymmetric_traffic) && !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL))
7202         {
7203             LogMessage("S5: Session exceeded configured max bytes to queue %d "
7204                     "using %d bytes (%s). %s %d --> %s %d "

Maybe you are hitting the max bytes configured for a session?

What does your stream preprocessor setup look like?




Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Al Lewis (allewi)
Sent: Thursday, April 07, 2016 3:03 PM
To: Dave Corsello; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Stream5 error

Do you have a copy of your configuration that you can share?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Dave Corsello [mailto:snort-users at ...15598...]
Sent: Thursday, April 07, 2016 2:08 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Stream5 error

I'm getting a number of S5 errors like the following:
Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007

I typically have not seen this error.  I'm not sure when it started.  I'm concerned because in each case, the source and destination IPs are identical to one another, and because in each case the address is a public address outside of my network.  Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration changes can correct this?

Thanks,
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160407/fa7bc2a8/attachment.html>


More information about the Snort-users mailing list