Snort Problem
-
We recently started using Snort for IPS/IDS on our PFSense box. For the most part it has been working great but I can not seem to figure out how to get the Stream5 settings correct. We are using Snort 2.8.6.1 pkg v. 1.34. I have Max Queued Bytes set to 134217728 and Max Queued Segs set to 262100. I have also tried setting both of those to 0, which I believe should then use the maximum possible memory. Nothing seems to make a difference and we still constantly get errors similar to the below one in our system logs. Any ideas on what the problem could be?
Oct 26 14:06:51 snort[56817]: S5: Pruned 5 sessions from cache for memcap. 362 ssns remain. memcap: 8138111/8388608
Oct 26 14:06:51 snort[56814]: S5: Pruned 5 sessions from cache for memcap. 455 ssns remain. memcap: 8145100/8388608
Oct 26 14:06:51 snort[56814]: S5: Pruned 5 sessions from cache for memcap. 455 ssns remain. memcap: 8145100/8388608
Oct 26 14:07:00 snort[56817]: S5: Pruned session from cache that was using 3895677 bytes (stale/timeout). 216.56.xx.xx 6274 –> 74.125.15.26 80 : LWstate 0x48 LWFlags 0x16107 -
If needed we are on pfsense version - 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009
-
Also noticed this in the FAQ
I need to test out snort-inline and snort on high speed networks so that I can improve performance.
If you are a system admin and have access to a 50 Mb+ connection please contact meWe are using a connection of 100 MB.
-
I have not found any resolutions to this problem.. anyone have any ideas?
-
I am having the same issue. In the RRD Graphs > System > States graph, are you hitting your max states? I am getting a spike that hits 10,000 states.
-
I sent you a email @stuen93