Stream 5 max_queued_bytes explanation

[Christian T <christian.snort () gmail com>]

Hi,

Hoping someone could clarify max_queued_bytes - testing isn't proving
successful.

Snort manual states:
max queued bytes <bytes> Limit the number of bytes queued for reassembly on
a given TCP session
to bytes. Default is ”1048576” (1MB). A value of ”0” means unlimited,
with a non-zero minimum of ”1024”, and a maximum of ”1073741824”
(1GB).A message is written to console/syslog when this limit is enforced

Sample console message:
S5: Session exceeded configured max bytes to queue 1048576 using 1048670
bytes (client queue). 10.0.0.1 2146 -->  10.0.0.2  8080 (0) : LWstate 0x9
LWFlags 0x6007

Trying to understand the exact outcomes from setting the max_queued_bytes
parameter for Stream5 TCP reassembly viz. does the limit on queued bytes
affect every reassembled stream, or is it more complicated than that? e.g.
will every reassembled stream be flushed once it reaches 1MB in size (at
default setting), thus limiting the depth a reassembled stream will be
checked? Or are queued bytes something else?

Cheers,
Christian

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!