Snort mailing list archives

Bug in stream5 global - prune_log_max <bytes>

From: elof () sentor se
Date: Wed, 13 Mar 2013 13:42:35 +0100 (CET)


Hi!

Just wanted to report a bug.

The README.stream5 and manual states that setting 'prune_log_max' to 0 
should disable logging completely.
This is not the case. Instead I get LOTS of logs, for sessions that are 
using just a few bytes.
(the default if not specifying any 'prune_log_max' at all is to only log 
a message if a terminated session used more than 1 MB of data)



preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, 
max_tcp 262144, max_udp 131072, max_active_responses 2, 
min_response_seconds 5, prune_log_max 0, memcap 640578048

Result: My syslog spew out these lines at a high rate:

Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 47045 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 33260 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 21758 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 65513 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40129 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 21872 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 40402 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 778 bytes (new data/timedout). x.x.x.x 41445 --> x.x.x.x 32474 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 42689 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 6330 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 35536 
(0) : LWstate 0xc8 LWFlags 0x416107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 1032 bytes (new data/timedout). x.x.x.x 32474 --> x.x.x.x 57815 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 394 bytes (new data/timedout). x.x.x.x 13764 --> x.x.x.x 20380 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 396 bytes (new data/timedout). x.x.x.x 6907 --> x.x.x.x 20380 
(0) : LWstate 0xc8 LWFlags 0x12107
Mar 13 12:27:38 myhost snort[26489]: S5: Pruned session from cache that 
was using 26381 bytes (new data/timedout). x.x.x.x 1009 --> x.x.x.x 48385 
(0) : LWstate 0x8f LWFlags 0x16007

/Elof

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Bug in stream5 global - prune_log_max <bytes> elof (Mar 13)
- <Possible follow-ups>
- Re: Bug in stream5 global - prune_log_max <bytes> Gregory S Thomas (Mar 13)
  - Re: Bug in stream5 global - prune_log_max <bytes> Bhagya Bantwal (Mar 13)