Snort Streams5 Issue



  • When I turn on snort it starts spamming my logs with the messages below. I have set streams5 to the maximum values (also tried 0), but I keep getting these messages. Any help would be greatly appreciated.

    Dec 16 16:04:49 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3231 ssns remain. memcap: 8330513/8388608
    Dec 16 16:04:49 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3231 ssns remain. memcap: 8330513/8388608
    Dec 16 16:04:48 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3206 ssns remain. memcap: 8386615/8388608
    Dec 16 16:04:48 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3206 ssns remain. memcap: 8386615/8388608

    Snort 2.8.6.1 pkg v. 1.34
    pfSense 1.2.3-RELEASE

    Thanks!



  • Ok so it appears the snort gui doesn't change the stream5 settings in the config files. Things are becoming clearer…



  • Ahh now I see the issue, I kept changing the "Max Queued" thinking it was related to memcap. There is no option for changing memcap in the gui, I guess it needs to be changed by hand in the config file. I am surprised no one else has ran into this issue as well?


Locked