Snort error message - S5: Session exceeded configured max bytes to queue



  • Occasionally I see snort generated errors in my system log like this:

    S5: Session exceeded configured max bytes to queue 1048576 using 1049334 bytes (client queue). x.x.x.x 49561 –> x.x.x.x 80 (0) : LWstate 0xf LWFlags 0x4e007

    where x.x.x.x is the same external address. It seems peculiar that the external IP is sending information from one port to another port on the same IP through my router.

    In any case, I tried changing some variables in the Stream5 Preprocessor.
    I increased the Prune Log Max from the default 1,048,576 to 2,097,152 and
    the TCP Memory cap from 8,388,608 to 83,886,080 (commas added for readability.)
    I still get these errors occasionally.

    Can anyone tell me what this error means? Is there any other setting in the Snort config or pfSense System Tunables that I can change to address it? Is it a bug in Snort?

    EDIT: The aspect that is worrisome is that sometimes this error appears to crash snort such that snort alerts stop altogether requiring a reboot or forced update which refreshes the snort settings. I've tried restoring to a previous config and the problem still occurs.

    EDIT 2: After doing some googling, this error appears to have been around for four years, but there is no solution to the issue anywhere. Some posts have mentioned informing the snort development team, but it is surprising there haven't been any new developments or releases about it.

    EDIT 3: Found this post: "This is not a memcap issue.  There is a separate limit on the number of
    bytes that stream5 will queue (max_queued_bytes) and on the number of
    segments queued (max_queued_segs).  You can increase those numbers,
    however, 1 MB is a lot to queue.  As the the queue grows, it can take
    longer to handle out of order segments and that results in increased
    latency and eventually drops."
    If this is the case, is there a way to automatically refresh Snort or clear up the queue so that I don't have to monitor the system logs constantly in case this error arises and causes Snort to shut down?