[Snort-users] Fwd: Re: Stream5 error

Dave Corsello snort-users at ...15598...
Fri Apr 8 16:36:44 EDT 2016


My comments below:

On 4/7/2016 5:57 PM, Al Lewis (allewi) wrote:
>
> Was there a reason you changed the session time_out and require_3whs 
> fields?
>

I didn't change them from the values that were set by Sourcefire/Cisco.  
I have now changed timeout to 30 and require_3whs to 0.

> You are keeping sessions active 6 times longer than the default (30 
> seconds for timeout) so that may be why snort has no choice but to 
> alert and prune them.
>
> Did you change the max bytes for a session? You may need to raise the 
> max_tcp bytes in the stream global setting.
>

Again, I left the original values unchanged.  I would be inclined to 
leave them as they are after making the above changes unless you 
recommend otherwise.

> Also did you see my previous message? If any of the conditions below 
> are true than snort will send the message and prune the session.
>
> If you don’t have a config I would think that you are hitting one of 
> these conditions from line 7201 in 
> “preprocessors/Stream6/snort_stream_tcp.c:”
>
> 7201 if (stream_session_config->*prune_log_max*&& 
> (TwoWayTraffic(tcpssn->scb) || s5TcpPolicy->log_asymmetric_traffic) && 
> !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL))
>
> 7202 {
>
> 7203 LogMessage("S5: Session exceeded configured max bytes to queue %d "
>
> 7204 "using %d bytes (%s). %s %d --> %s %d "
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
> *From:*Dave Corsello [mailto:snort-users at ...15598...]
> *Sent:* Thursday, April 07, 2016 4:15 PM
> *To:* Al Lewis (allewi)
> *Subject:* Re: [Snort-users] Stream5 error
>
> Thanks for your reply.  My snort.conf is attached.  Here's the startup 
> command from my init script:
>
> exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var 
> queue=1 -c /etc/snort/snort.conf -D
>
> On 4/7/2016 3:02 PM, Al Lewis (allewi) wrote:
>
> Do you have a copy of your configuration that you can share?
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
> *From:*Dave Corsello [mailto:snort-users at ...15598...]
> *Sent:* Thursday, April 07, 2016 2:08 PM
> *To:* snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> *Subject:* [Snort-users] Stream5 error
>
> I'm getting a number of S5 errors like the following:
>
> Session exceeded configured max bytes to queue 1048576 using 1050000 
> bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : 
> LWstate 0x9 LWFlags 0x6007
>
>
> I typically have not seen this error.  I'm not sure when it started.  
> I'm concerned because in each case, the source and destination IPs are 
> identical to one another, and because in each case the address is a 
> public address outside of my network.  Can someone help me to 
> understand what's happening, and if correctable, what kinds of Snort 
> configuration changes can correct this?
>
> Thanks,
> Dave
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160408/9b10bc46/attachment.html>


More information about the Snort-users mailing list