Snort Problem



  • We recently started using Snort for IPS/IDS on our PFSense box. For the most part it has been working great but I can not seem to figure out how to get the Stream5 settings correct.  We are using Snort 2.8.6.1 pkg v. 1.34.  I have Max Queued Bytes set to 134217728 and Max Queued Segs set to 262100.  I have also tried setting both of those to 0, which I believe should then use the maximum possible memory.  Nothing seems to make a difference and we still constantly get errors similar to the below one in our system logs.  Any ideas on what the problem could be?

    Oct 26 14:06:51 snort[56817]: S5: Pruned 5 sessions from cache for memcap. 362 ssns remain. memcap: 8138111/8388608
    Oct 26 14:06:51 snort[56814]: S5: Pruned 5 sessions from cache for memcap. 455 ssns remain. memcap: 8145100/8388608
    Oct 26 14:06:51 snort[56814]: S5: Pruned 5 sessions from cache for memcap. 455 ssns remain. memcap: 8145100/8388608
    Oct 26 14:07:00 snort[56817]: S5: Pruned session from cache that was using 3895677 bytes (stale/timeout). 216.56.xx.xx 6274 –> 74.125.15.26 80 : LWstate 0x48 LWFlags 0x16107



  • If needed we are on pfsense version - 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009



  • Also noticed this in the FAQ

    I need to test out snort-inline and snort on high speed networks so that I can improve performance.
    If you are a system admin and have access to a 50 Mb+ connection please contact me

    We are using a connection of 100 MB.



  • I have not found any resolutions to this problem.. anyone have any ideas?



  • I am having the same issue.  In the RRD Graphs > System > States graph, are you hitting your max states?  I am getting a spike that hits 10,000 states.



  • I sent you a email @stuen93


Log in to reply