[Snort-users] Fwd: Re: Stream5 error

Al Lewis (allewi) allewi at ...589...
Mon Apr 11 11:33:10 EDT 2016


Please see the README.stream5 for complete details.

require_3whs [<number secs>]
                            - Establish sessions only on completion
                              of a SYN/SYN-ACK/ACK handshake.  The default is
                              set to off.  The optional number of seconds
                              specifies a startup timeout.  This allows a grace
                              period for existing sessions to be considered
                              established during that interval immediately
                              after Snort is started.  The default is "0"
                              (don't consider existing sessions established),
                              the minimum is "0", and the maximum is "86400"
                              (approximately 1 day).


TCP Configuration
-----------------
Provides a means on a per IP address target to configure a TCP policy.
This can have multiple occurrences, per policy that is bound to an IP
address or network.  One default policy must be specified, and that policy
is not bound to an IP address or network.

- Preprocessor name: stream5_tcp
- Options:
    log_asymmetric_traffic <yes|no>
                            - Provides an option to log the messages for
                              asymmetric traffic. The default is set
                              to "no".
    bind_to <ip_addr>       - IP address for this policy.  The default is set
                              to any.
    timeout <number (secs)> - Session timeout.  The default is "30", the
                              minimum is "1", and the maximum is "86400"
                              (approximately 1 day).



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Cloherty, Sean E [mailto:scloherty at ...312...]
Sent: Monday, April 11, 2016 10:57 AM
To: Dave Corsello; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Fwd: Re: Stream5 error

The snort.conf for 2.9.8.2 that I got from the snort.org website does have the timeout set to 180 as well.

Is that the default?  Should we cut back to 30 secs?  What is the impact on detection if we do reduce the timeout?

From: Dave Corsello [mailto:snort-users at ...15598...]
Sent: Friday, April 08, 2016 16:37 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Fwd: Re: Stream5 error

My comments below:

On 4/7/2016 5:57 PM, Al Lewis (allewi) wrote:
Was there a reason you changed the session time_out and require_3whs fields?

I didn't change them from the values that were set by Sourcefire/Cisco.  I have now changed timeout to 30 and require_3whs to 0.

You are keeping sessions active 6 times longer than the default (30 seconds for timeout) so that may be why snort has no choice but to alert and prune them.

Did you change the max bytes for a session? You may need to raise the max_tcp bytes in the stream global setting.

Again, I left the original values unchanged.  I would be inclined to leave them as they are after making the above changes unless you recommend otherwise.

 Also did you see my previous message? If any of the conditions below are true than snort will send the message and prune the session.
 If you don’t have a config I would think that you are hitting one of these conditions from line 7201 in “preprocessors/Stream6/snort_stream_tcp.c:”


7201         if (stream_session_config->prune_log_max && (TwoWayTraffic(tcpssn->scb) || s5TcpPolicy->log_asymmetric_traffic) && !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL))
7202         {
7203             LogMessage("S5: Session exceeded configured max bytes to queue %d "
7204                     "using %d bytes (%s). %s %d --> %s %d "




Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Dave Corsello [mailto:snort-users at ...15598...]
Sent: Thursday, April 07, 2016 4:15 PM
To: Al Lewis (allewi)
Subject: Re: [Snort-users] Stream5 error

Thanks for your reply.  My snort.conf is attached.  Here's the startup command from my init script:
exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf -D
On 4/7/2016 3:02 PM, Al Lewis (allewi) wrote:

Do you have a copy of your configuration that you can share?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Dave Corsello [mailto:snort-users at ...15598...]
Sent: Thursday, April 07, 2016 2:08 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Stream5 error

I'm getting a number of S5 errors like the following:
Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007

I typically have not seen this error.  I'm not sure when it started.  I'm concerned because in each case, the source and destination IPs are identical to one another, and because in each case the address is a public address outside of my network.  Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration changes can correct this?

Thanks,
Dave



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160411/050d037c/attachment.html>


More information about the Snort-users mailing list