Snort mailing list archives
Re: Fwd: Re: Stream5 error
From: "Cloherty, Sean E" <scloherty () mitre org>
Date: Mon, 11 Apr 2016 14:57:05 +0000
The snort.conf for 2.9.8.2 that I got from the snort.org website does have the timeout set to 180 as well. Is that the default? Should we cut back to 30 secs? What is the impact on detection if we do reduce the timeout? From: Dave Corsello [mailto:snort-users () wintertreemedia com] Sent: Friday, April 08, 2016 16:37 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Fwd: Re: Stream5 error My comments below: On 4/7/2016 5:57 PM, Al Lewis (allewi) wrote: Was there a reason you changed the session time_out and require_3whs fields? I didn't change them from the values that were set by Sourcefire/Cisco. I have now changed timeout to 30 and require_3whs to 0. You are keeping sessions active 6 times longer than the default (30 seconds for timeout) so that may be why snort has no choice but to alert and prune them. Did you change the max bytes for a session? You may need to raise the max_tcp bytes in the stream global setting. Again, I left the original values unchanged. I would be inclined to leave them as they are after making the above changes unless you recommend otherwise. Also did you see my previous message? If any of the conditions below are true than snort will send the message and prune the session. If you don’t have a config I would think that you are hitting one of these conditions from line 7201 in “preprocessors/Stream6/snort_stream_tcp.c:” 7201 if (stream_session_config->prune_log_max && (TwoWayTraffic(tcpssn->scb) || s5TcpPolicy->log_asymmetric_traffic) && !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL)) 7202 { 7203 LogMessage("S5: Session exceeded configured max bytes to queue %d " 7204 "using %d bytes (%s). %s %d --> %s %d " Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Dave Corsello [mailto:snort-users () wintertreemedia com] Sent: Thursday, April 07, 2016 4:15 PM To: Al Lewis (allewi) Subject: Re: [Snort-users] Stream5 error Thanks for your reply. My snort.conf is attached. Here's the startup command from my init script: exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf -D On 4/7/2016 3:02 PM, Al Lewis (allewi) wrote: Do you have a copy of your configuration that you can share? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Dave Corsello [mailto:snort-users () wintertreemedia com] Sent: Thursday, April 07, 2016 2:08 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Stream5 error I'm getting a number of S5 errors like the following: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007 I typically have not seen this error. I'm not sure when it started. I'm concerned because in each case, the source and destination IPs are identical to one another, and because in each case the address is a public address outside of my network. Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration changes can correct this? Thanks, Dave
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream5 error Dave Corsello (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)
- <Possible follow-ups>
- Fwd: Re: Stream5 error Dave Corsello (Apr 08)
- Re: Fwd: Re: Stream5 error Cloherty, Sean E (Apr 11)
- Re: Fwd: Re: Stream5 error Al Lewis (allewi) (Apr 11)
- Re: Fwd: Re: Stream5 error Cloherty, Sean E (Apr 11)
- Re: Stream5 error Al Lewis (allewi) (Apr 07)