Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort, S5: Session exceeded Warning

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 328 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noor92
      last edited by

      Hello Guys,
      I am using pfSense CE Version 2.5.2, today when I logged in to the pfsense, I was getting below snort warnings, I hope if any one can help me to understand why I am getting this warning and how can I resolve this issue.

      Snort Alert S5.JPG

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The default values in Snort for "max_queued_bytes" should be sufficient for most all situations.

        A common cause for seeing this error from Snort's Stream5 preprocessor is asymmetrical routing. Snort is seeing only one side of the conversation, and thus keeps queueing up bytes and never closing the session to recover memory. Likely Snort is never seeing the FIN/ACK part of the session transaction, as that would be the key to tell Snort the session is done and thus Snort can release the queue memory back into the pool for the next session to use. So when not seeing the end of previous sessions, and thus not cleaning up and recovering that memory, Snort will continue to allocate new buffer space for each session. Eventually it runs out of space, and that's the error you are seeing logged.

        You can increase the amount of session queue memory, but I think that would be just a temporary fix. Examine your setup for asymmetrical routing. You can capture on the interface and examine the traffic in Wireshark to see if both sides of a session's conversation are being seen.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.