• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort warning: S5 session exceeded configured max bytes to queue

Scheduled Pinned Locked Moved pfSense Packages
8 Posts 2 Posters 12.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bmeeks
    last edited by Jun 3, 2010, 12:27 AM

    Since the last upgrade to package 1.26 of Snort on pfSense 1.2.3-RELEASE, I've started seeing a fair number of errors like these in my logs.  The last two octets of each IP address have been masked by me.  From my research on the web, the most often suggested remedy is to increase a memory value for Stream5 in the Snort configuration file, but I do not see the referenced section in the snort.conf file on my firewall.  Has anyone else seen this warning message or have a suggested fix for the pfSense package?

    By the way, these errors happen during relatively large file transfers from the web to my local machine.

    S5: Session exceeded configured max bytes to queue 1048576 using 1049210 bytes (client queue). 65.5.xxx.xxx 63229 --> 216.196.xxx.xxx 563 : LWstate 0x48 LWFlags 0x6107
    
    S5: Pruned session from cache that was using 1094654 bytes (new data/timedout). 65.5.xxx.xxx 65014 --> 216.196.xxx.xxx 13058 (0) : LWstate 0x448 LWFlags 0x216107
    
    1 Reply Last reply Reply Quote 0
    • J
      jamesdean
      last edited by Jun 3, 2010, 1:23 AM

      @bmeeks:

      Since the last upgrade to package 1.26 of Snort on pfSense 1.2.3-RELEASE, I've started seeing a fair number of errors like these in my logs.  The last two octets of each IP address have been masked by me.  From my research on the web, the most often suggested remedy is to increase a memory value for Stream5 in the Snort configuration file, but I do not see the referenced section in the snort.conf file on my firewall.  Has anyone else seen this warning message or have a suggested fix for the pfSense package?

      By the way, these errors happen during relatively large file transfers from the web to my local machine.

      S5: Session exceeded configured max bytes to queue 1048576 using 1049210 bytes (client queue). 65.5.xxx.xxx 63229 --> 216.196.xxx.xxx 563 : LWstate 0x48 LWFlags 0x6107
      
      S5: Pruned session from cache that was using 1094654 bytes (new data/timedout). 65.5.xxx.xxx 65014 --> 216.196.xxx.xxx 13058 (0) : LWstate 0x448 LWFlags 0x216107
      

      I'll add that on the next release.

      James

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks
        last edited by Jun 3, 2010, 2:26 AM

        Thanks James… :)

        1 Reply Last reply Reply Quote 0
        • J
          jamesdean
          last edited by Jun 4, 2010, 6:04 AM

          This option is in snort 2.6 pkg v. 27, try the new version and report back.

          James

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by Jun 5, 2010, 4:30 AM

            Early results look good.  I first tried doubling the default value, but I still got the max bytes exceeded messages.  I then did what most of the Google search results suggested and simply added a zero on the end of the 1,097,152 default to make it 10,971,520 and restarted Snort.  So far, with that value, I have not seen the warning message again.  I left the "max queue segs" parameter at the default value of 2621.

            I will continue testing and report back if the error returns.  Thanks for making those parameters so easy to configure in the GUI.

            1 Reply Last reply Reply Quote 0
            • B
              bmeeks
              last edited by Jun 5, 2010, 1:36 PM

              Follow-up:

              Later on I did get a "max queue segs exceeded" warning.  I bumped that value up from the default of 2621 to 26,210 and have not had any further warning messages.

              1 Reply Last reply Reply Quote 0
              • J
                jamesdean
                last edited by Jun 5, 2010, 6:22 PM Jun 5, 2010, 6:18 PM

                Thanx, good to know that this issue is has been solved for you.

                I think I might add it to the FAQ.

                How big were your downloads when you started to receive these warning ?

                James

                1 Reply Last reply Reply Quote 0
                • B
                  bmeeks
                  last edited by Jun 5, 2010, 7:32 PM

                  They ranged from 0.5 meg to maybe 5 megs each.  They were from an NNTP client (Agent).  It opens up to 10 sessions I believe when downloading.  That's where I noticed the message the most.

                  The pfSense box I'm using is an old PC with a 866 MHz Pentium CPU and 768 MB of RAM.  It works fine for my private LAN.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received