Snort, S5: Session exceeded Warning
-
Hello Guys,
I am using pfSense CE Version 2.5.2, today when I logged in to the pfsense, I was getting below snort warnings, I hope if any one can help me to understand why I am getting this warning and how can I resolve this issue.
-
The default values in Snort for "max_queued_bytes" should be sufficient for most all situations.
A common cause for seeing this error from Snort's Stream5 preprocessor is asymmetrical routing. Snort is seeing only one side of the conversation, and thus keeps queueing up bytes and never closing the session to recover memory. Likely Snort is never seeing the FIN/ACK part of the session transaction, as that would be the key to tell Snort the session is done and thus Snort can release the queue memory back into the pool for the next session to use. So when not seeing the end of previous sessions, and thus not cleaning up and recovering that memory, Snort will continue to allocate new buffer space for each session. Eventually it runs out of space, and that's the error you are seeing logged.
You can increase the amount of session queue memory, but I think that would be just a temporary fix. Examine your setup for asymmetrical routing. You can capture on the interface and examine the traffic in Wireshark to see if both sides of a session's conversation are being seen.
