Snort warning: S5 session exceeded configured max bytes to queue

bmeeks

Since the last upgrade to package 1.26 of Snort on pfSense 1.2.3-RELEASE, I've started seeing a fair number of errors like these in my logs.  The last two octets of each IP address have been masked by me.  From my research on the web, the most often suggested remedy is to increase a memory value for Stream5 in the Snort configuration file, but I do not see the referenced section in the snort.conf file on my firewall.  Has anyone else seen this warning message or have a suggested fix for the pfSense package?

By the way, these errors happen during relatively large file transfers from the web to my local machine.

S5: Session exceeded configured max bytes to queue 1048576 using 1049210 bytes (client queue). 65.5.xxx.xxx 63229 --> 216.196.xxx.xxx 563 : LWstate 0x48 LWFlags 0x6107

S5: Pruned session from cache that was using 1094654 bytes (new data/timedout). 65.5.xxx.xxx 65014 --> 216.196.xxx.xxx 13058 (0) : LWstate 0x448 LWFlags 0x216107

jamesdean

@bmeeks:

Since the last upgrade to package 1.26 of Snort on pfSense 1.2.3-RELEASE, I've started seeing a fair number of errors like these in my logs.  The last two octets of each IP address have been masked by me.  From my research on the web, the most often suggested remedy is to increase a memory value for Stream5 in the Snort configuration file, but I do not see the referenced section in the snort.conf file on my firewall.  Has anyone else seen this warning message or have a suggested fix for the pfSense package?

By the way, these errors happen during relatively large file transfers from the web to my local machine.

S5: Session exceeded configured max bytes to queue 1048576 using 1049210 bytes (client queue). 65.5.xxx.xxx 63229 --> 216.196.xxx.xxx 563 : LWstate 0x48 LWFlags 0x6107

S5: Pruned session from cache that was using 1094654 bytes (new data/timedout). 65.5.xxx.xxx 65014 --> 216.196.xxx.xxx 13058 (0) : LWstate 0x448 LWFlags 0x216107

I'll add that on the next release.

James

bmeeks

Thanks James… :)

jamesdean

This option is in snort 2.6 pkg v. 27, try the new version and report back.

James

bmeeks

Early results look good.  I first tried doubling the default value, but I still got the max bytes exceeded messages.  I then did what most of the Google search results suggested and simply added a zero on the end of the 1,097,152 default to make it 10,971,520 and restarted Snort.  So far, with that value, I have not seen the warning message again.  I left the "max queue segs" parameter at the default value of 2621.

I will continue testing and report back if the error returns.  Thanks for making those parameters so easy to configure in the GUI.

bmeeks

Follow-up:

Later on I did get a "max queue segs exceeded" warning.  I bumped that value up from the default of 2621 to 26,210 and have not had any further warning messages.

jamesdean

Thanx, good to know that this issue is has been solved for you.

I think I might add it to the FAQ.

How big were your downloads when you started to receive these warning ?

James

bmeeks

They ranged from 0.5 meg to maybe 5 megs each.  They were from an NNTP client (Agent).  It opens up to 10 sessions I believe when downloading.  That's where I noticed the message the most.

The pfSense box I'm using is an old PC with a 866 MHz Pentium CPU and 768 MB of RAM.  It works fine for my private LAN.