Snort mailing list archives

Re: Fwd: Snort 'hangs'

From: Y M <snort () outlook com>
Date: Thu, 10 Apr 2014 04:26:46 +0000

Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max 
@500MB)

 
As far as I understand, the above message is related to the max_queued_bytes of the S5 TCP configurations and not 
memcap:
 
http://manual.snort.org/node73.html (look for the 12th item in the table). What is different from what I have seen is 
the part that says "LWstate 0x1 LWFlags". Usually, this is represented in bytes.
 
YM
 
Date: Thu, 10 Apr 2014 13:13:02 +1200
From: conma293 () gmail com
To: thopeter () cisco com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Fwd: Snort 'hangs'

im also going to think about reducing memcap back to default - may be putting too much resource on the VM; which has 
4gb of the 8gb host RAM

On Thu, Apr 10, 2014 at 12:40 PM, Matheus Condi'ez <conma293 () gmail com> wrote:



   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47) 

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team



           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 8.12 2011-01-15

           Using ZLIB version: 1.2.3.4






Just upgraded to community rules 2960 (with additional openSSL hearbeat rules from VRT for the boss - thankyou very 
much)






ive got one error here in full -->






S5: Session exceeded configured max segs to queue 2621 using 2621 segs (client queue)  <ip><port> --> <ip><port> (0): 
LWstate 0x9 LWFlags 0x406007





Also - it just crashed on me again, the other sensor is all go, hopefully the rules upgrade will fix this issue



On Thu, Apr 10, 2014 at 3:04 AM, Tom Peters (thopeter) <thopeter () cisco com> wrote:







Matheus,



I'm taking a look at the source code.



Do you know exactly which build of Snort you are running?

Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max 
@500MB)




Is this the exact error message? Could you send me the complete message?



Thanks,
Tom Peters
Sourcefire Snort Development












From: conma293 <conma293 () gmail com>

Date: Wednesday, April 9, 2014 1:15 AM

To: Snortusers <snort-users () lists sourceforge net>

Subject: [Snort-users] Fwd: Snort 'hangs'











Sent from my iPhone


Begin forwarded message:





From: "Matheus Condi'ez" <conma293 () gmail com>

Date: 9 April 2014 4:17:49 PM NZST

To: snort-users () lists sourceforge net

Subject: Snort 'hangs'







I have Snort running as an Ubuntu VM on a fedora host in two seperate dev environments with differing levels of traffic 
- one predominantly smtp (low levels) one web (high levels).



Versions - 



Snort: v2.9.6
Barnyard2-1.13
DAQ: v2.0.2



Current ruleset is community rules 28th Mar






The sensor in the low traffic smtp environment runs smooth



The sensor in the other environment however...
Snort runs fine for 3~9days, it will then stop outputting U2's for Barnyard.  Upon attempting to kill the snort process 
under sudo and/or root it fails to actually kill the process.  Killing the barnyard2 process is fine, as is killing the 
snort process
 if it is still outputting unified2.



I often see the following outputs, which may or may not be related (almost certainly not by2) - 



Snort:  s5: session exceeded configured max bytes to queue LWstate 0x1 LWFlags (have updated memcap to half the max 
@500MB)



Barnyard2:  'lonely packet'; WARNING database called with Event Type [7] (P)acket [0x0]



I am at a loss as what to do now as I seem to have to reboot the sensor to kill the snort process every couple of days 
or so.













------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fwd: Snort 'hangs' conma293 (Apr 08)
- Message not available
  - Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 09)
    - Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 09)
    - Re: Fwd: Snort 'hangs' Y M (Apr 09)
    - Re: Fwd: Snort 'hangs' Tom Peters (thopeter) (Apr 11)
    - Message not available
    - Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 12)
    - Message not available
    - Re: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 21)
    - Message not available
    - Message not available
    - Fwd: Fwd: Snort 'hangs' Matheus Condi'ez (Apr 22)