Snort 2.9.2.3 pkg v. 2.5.1 - ignores memcap settings



  • In earlier versions of Snort, I have always set the "Max queued bytes" and "Max queued segs" on the Interface's Preprocessors page to the maximum value - either 0 or 1073741824.

    I have also appended ", memcap 134217728" to the "preprocessor stream5_global" line in both "/usr/local/etc/snort/snort_51896_pppoe0/snort.conf" and "/usr/local/pkg/snort/snort.inc".

    This used to stop the memcap issues and session pruning issues. But, now, with the latest version, it does not.

    Now, the system log has the following during Snort startup
    snort[47261]: | memory-cap : 1048576 bytes

    And I get quite a few "Pruned Session from cache" entries in the log.

    Has anything else changed in this version?

    Thanks,
    MediocreFred.



  • IT depends for what that memory cap is printed.
    All preporcessors have a memory cap options so it depends which of them is printing that.



  • Hmmm… OK. Restarted again and here are bits from the system log:

    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: +–---------------------[event-filter-config]–--------------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[event-filter-config]–--------------------------------
    Jul 25 09:14:16 snort[29561]:
    Jul 25 09:14:16 snort[29561]:
    Jul 25 09:14:16 snort[29561]: –-----------------------------------------------------------------------------
    Jul 25 09:14:16 snort[29561]: –-----------------------------------------------------------------------------
    Jul 25 09:14:16 snort[29561]: | none
    Jul 25 09:14:16 snort[29561]: | none
    Jul 25 09:14:16 snort[29561]: +–---------------------[rate-filter-rules]–----------------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[rate-filter-rules]–----------------------------------
    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: +–---------------------[rate-filter-config]–---------------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[rate-filter-config]–---------------------------------
    Jul 25 09:14:16 snort[29561]:
    Jul 25 09:14:16 snort[29561]:
    Jul 25 09:14:16 snort[29561]: –-----------------------------------------------------------------------------
    Jul 25 09:14:16 snort[29561]: –-----------------------------------------------------------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[detection-filter-rules]–-----------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[detection-filter-rules]–-----------------------------
    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: | memory-cap : 1048576 bytes
    Jul 25 09:14:16 snort[29561]: +–---------------------[detection-filter-config]–----------------------------
    Jul 25 09:14:16 snort[29561]: +–---------------------[detection-filter-config]–----------------------------


    Jul 25 09:14:07 snort[29561]: Events: smb co cl
    Jul 25 09:14:07 snort[29561]: Events: smb co cl
    Jul 25 09:14:07 snort[29561]: Memcap: 102400 KB
    Jul 25 09:14:07 snort[29561]: Memcap: 102400 KB
    Jul 25 09:14:07 snort[29561]: DCE/RPC Defragmentation: Enabled
    Jul 25 09:14:07 snort[29561]: DCE/RPC Defragmentation: Enabled
    Jul 25 09:14:07 snort[29561]: Global Configuration
    Jul 25 09:14:07 snort[29561]: Global Configuration

    –-

    Jul 25 09:14:07 snort[29561]: Memcap (in bytes): 10000000
    Jul 25 09:14:07 snort[29561]: Memcap (in bytes): 10000000

    (the entries are in reverse chronological order)

    Oh and as an aside, why does it print every line twice in the log? It's always done this and even with the system log at a max of 2000 entries, I am unable to see the whole snort startup log.



  • I'm having this issue as well with the Stream5 preprocessor, even though in the settings I have it maxed out.  It can easily be reproduced by running a speedtest online.

    Jul 27 05:35:11 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 104/8388608
    Jul 27 05:35:11 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 104/8388608
    Jul 27 05:35:11 	snort[3825]: S5: Pruned session from cache that was using 25555046 bytes (memcap/check). xxx.xxx.xxx.xxx 47370 --> xxx.xxx.xxx.xxx 80 (0) : LWstate 0xf LWFlags 0x426007
    Jul 27 05:35:11 	snort[3825]: S5: Pruned session from cache that was using 25555046 bytes (memcap/check). xxx.xxx.xxx.xxx 47370 --> xxx.xxx.xxx.xxx 80 (0) : LWstate 0xf LWFlags 0x426007
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15353306/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15353306/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 2 sessions from cache for memcap. 1 ssns remain. memcap: 15274024/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 2 sessions from cache for memcap. 1 ssns remain. memcap: 15274024/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15249754/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15249754/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15248136/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15248136/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15120314/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15120314/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15117078/8388608
    Jul 27 05:35:06 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 15117078/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 10261460/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 10261460/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 8675820/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 8675820/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 8627280/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 1 sessions from cache for memcap. 1 ssns remain. memcap: 8627280/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 6 sessions from cache for memcap. 1 ssns remain. memcap: 8381240/8388608
    Jul 27 05:35:03 	snort[3825]: S5: Pruned 6 sessions from cache for memcap. 1 ssns remain. memcap: 8381240/8388608
    Jul 27 05:34:59 	snort[3825]: S5: Pruned 5 sessions from cache for memcap. 1 ssns remain. memcap: 1907622/8388608
    Jul 27 05:34:59 	snort[3825]: S5: Pruned 5 sessions from cache for memcap. 1 ssns remain. memcap: 1907622/8388608
    

    I'm wondering if its because the Stream5 settings in the .inc file doesnt have any settings for UDP traffic like it does for TCP.



  • Onhel will check and report back.



  • Sorry to bother Ermal, any thoughts on this issue?


Locked