Snort Streams5 Issue
-
When I turn on snort it starts spamming my logs with the messages below. I have set streams5 to the maximum values (also tried 0), but I keep getting these messages. Any help would be greatly appreciated.
Dec 16 16:04:49 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3231 ssns remain. memcap: 8330513/8388608
Dec 16 16:04:49 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3231 ssns remain. memcap: 8330513/8388608
Dec 16 16:04:48 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3206 ssns remain. memcap: 8386615/8388608
Dec 16 16:04:48 snort[40808]: S5: Pruned 5 sessions from cache for memcap. 3206 ssns remain. memcap: 8386615/8388608Snort 2.8.6.1 pkg v. 1.34
pfSense 1.2.3-RELEASEThanks!
-
Ok so it appears the snort gui doesn't change the stream5 settings in the config files. Things are becoming clearer…
-
Ahh now I see the issue, I kept changing the "Max Queued" thinking it was related to memcap. There is no option for changing memcap in the gui, I guess it needs to be changed by hand in the config file. I am surprised no one else has ran into this issue as well?