Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort error message - S5: Session exceeded configured max bytes to queue

    IDS/IPS
    1
    1
    978
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cj58_92 last edited by

      Occasionally I see snort generated errors in my system log like this:

      S5: Session exceeded configured max bytes to queue 1048576 using 1049334 bytes (client queue). x.x.x.x 49561 –> x.x.x.x 80 (0) : LWstate 0xf LWFlags 0x4e007

      where x.x.x.x is the same external address. It seems peculiar that the external IP is sending information from one port to another port on the same IP through my router.

      In any case, I tried changing some variables in the Stream5 Preprocessor.
      I increased the Prune Log Max from the default 1,048,576 to 2,097,152 and
      the TCP Memory cap from 8,388,608 to 83,886,080 (commas added for readability.)
      I still get these errors occasionally.

      Can anyone tell me what this error means? Is there any other setting in the Snort config or pfSense System Tunables that I can change to address it? Is it a bug in Snort?

      EDIT: The aspect that is worrisome is that sometimes this error appears to crash snort such that snort alerts stop altogether requiring a reboot or forced update which refreshes the snort settings. I've tried restoring to a previous config and the problem still occurs.

      EDIT 2: After doing some googling, this error appears to have been around for four years, but there is no solution to the issue anywhere. Some posts have mentioned informing the snort development team, but it is surprising there haven't been any new developments or releases about it.

      EDIT 3: Found this post: "This is not a memcap issue.  There is a separate limit on the number of
      bytes that stream5 will queue (max_queued_bytes) and on the number of
      segments queued (max_queued_segs).  You can increase those numbers,
      however, 1 MB is a lot to queue.  As the the queue grows, it can take
      longer to handle out of order segments and that results in increased
      latency and eventually drops."
      If this is the case, is there a way to automatically refresh Snort or clear up the queue so that I don't have to monitor the system logs constantly in case this error arises and causes Snort to shut down?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy