1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Snort error message - S5: Session exceeded configured max bytes to queue

Snort error message - S5: Session exceeded configured max bytes to queue

  • C

    Occasionally I see snort generated errors in my system log like this:

    S5: Session exceeded configured max bytes to queue 1048576 using 1049334 bytes (client queue). x.x.x.x 49561 –> x.x.x.x 80 (0) : LWstate 0xf LWFlags 0x4e007

    where x.x.x.x is the same external address. It seems peculiar that the external IP is sending information from one port to another port on the same IP through my router.

    In any case, I tried changing some variables in the Stream5 Preprocessor.
    I increased the Prune Log Max from the default 1,048,576 to 2,097,152 and
    the TCP Memory cap from 8,388,608 to 83,886,080 (commas added for readability.)
    I still get these errors occasionally.

    Can anyone tell me what this error means? Is there any other setting in the Snort config or pfSense System Tunables that I can change to address it? Is it a bug in Snort?

    EDIT: The aspect that is worrisome is that sometimes this error appears to crash snort such that snort alerts stop altogether requiring a reboot or forced update which refreshes the snort settings. I've tried restoring to a previous config and the problem still occurs.

    EDIT 2: After doing some googling, this error appears to have been around for four years, but there is no solution to the issue anywhere. Some posts have mentioned informing the snort development team, but it is surprising there haven't been any new developments or releases about it.

    EDIT 3: Found this post: "This is not a memcap issue.  There is a separate limit on the number of
    bytes that stream5 will queue (max_queued_bytes) and on the number of
    segments queued (max_queued_segs).  You can increase those numbers,
    however, 1 MB is a lot to queue.  As the the queue grows, it can take
    longer to handle out of order segments and that results in increased
    latency and eventually drops."
    If this is the case, is there a way to automatically refresh Snort or clear up the queue so that I don't have to monitor the system logs constantly in case this error arises and causes Snort to shut down?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy