Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort error message - S5: Session exceeded configured max bytes to queue

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cj58_92
      last edited by

      Occasionally I see snort generated errors in my system log like this:

      S5: Session exceeded configured max bytes to queue 1048576 using 1049334 bytes (client queue). x.x.x.x 49561 –> x.x.x.x 80 (0) : LWstate 0xf LWFlags 0x4e007

      where x.x.x.x is the same external address. It seems peculiar that the external IP is sending information from one port to another port on the same IP through my router.

      In any case, I tried changing some variables in the Stream5 Preprocessor.
      I increased the Prune Log Max from the default 1,048,576 to 2,097,152 and
      the TCP Memory cap from 8,388,608 to 83,886,080 (commas added for readability.)
      I still get these errors occasionally.

      Can anyone tell me what this error means? Is there any other setting in the Snort config or pfSense System Tunables that I can change to address it? Is it a bug in Snort?

      EDIT: The aspect that is worrisome is that sometimes this error appears to crash snort such that snort alerts stop altogether requiring a reboot or forced update which refreshes the snort settings. I've tried restoring to a previous config and the problem still occurs.

      EDIT 2: After doing some googling, this error appears to have been around for four years, but there is no solution to the issue anywhere. Some posts have mentioned informing the snort development team, but it is surprising there haven't been any new developments or releases about it.

      EDIT 3: Found this post: "This is not a memcap issue.  There is a separate limit on the number of
      bytes that stream5 will queue (max_queued_bytes) and on the number of
      segments queued (max_queued_segs).  You can increase those numbers,
      however, 1 MB is a lot to queue.  As the the queue grows, it can take
      longer to handle out of order segments and that results in increased
      latency and eventually drops."
      If this is the case, is there a way to automatically refresh Snort or clear up the queue so that I don't have to monitor the system logs constantly in case this error arises and causes Snort to shut down?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.