Snort mailing list archives
Re: memcap limit error
From: Y M <snort () outlook com>
Date: Fri, 31 May 2013 21:52:10 +0300
This should go in the stream5 preprocessor configurations section. A good indication to look for is the "S5" at the start of the message. ________________________________ From: Shields, Joseph (NIH/NIEHS) [C]<mailto:joseph.shields () nih gov> Sent: 5/31/2013 9:45 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] memcap limit error I'm seeing the following error messages show up (/var/log/messages). May 31 14:02:06 sysabc snort[10890]: S5: Pruned 5 sessions from cache for memcap. 812 ssns remain. memcap: 8386339/8388608 May 31 14:02:06 sysabc snort[10890]: S5: Pruned 10 sessions from cache for memcap. 803 ssns remain. memcap: 8381933/8388608 I believe I need to increase the memcap setting, however, I am uncertain which entry in the config file(snort.conf) needs to be increased. It is unclear to me which one is causing the error. Help please! Here are config file settings (all are at defaults) with memcap: # DNP3 preprocessor. For more information see README.dnp3 preprocessor dnp3: ports { 20000 } \ memcap 262144 \ # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ preprocessor dcerpc2: memcap 102400, events [co ] Brian
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- memcap limit error Shields, Joseph (NIH/NIEHS) [C] (May 31)
- Re: memcap limit error Joel Esler (May 31)
- <Possible follow-ups>
- Re: memcap limit error Y M (May 31)