Re: [Snort-users] "S5 pruned sessions from cache" messages

permalink · #1 (**permalink**) 04-29-2008

--===============0057705590==
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg=pgp-sha1; boundary="Apple-Mail-19--743636900"

--Apple-Mail-19--743636900
Content-Type: multipart/alternative; boundary=Apple-Mail-18--743636917

--Apple-Mail-18--743636917
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit

It means that you haven't allocated enough memory to stream5's
memcap. Basically when it hits the memcap limit due to trying to
track too many sessions at once you need to raise the memcap limit
until you stop getting those notifications. Try doubling it for
starters and see what happens.

-Marty

On Apr 29, 2008, at 1:52 PM, Joe S wrote:

> Correction: Running 2.8.1
>
> ,,_ -*> Snort! <*-
> o" )~ Version 2.8.1 (Build 28) FreeBSD
> '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
> (C) Copyright 1998-2008 Sourcefire Inc., et al.
> Using PCRE version: 7.4 2007-09-21
>
>
> On Tue, Apr 29, 2008 at 10:50 AM, Joe S <js.lists@gmail.com> wrote:
>> I'm running Snort 2.8.0.1 on FreeBSD 7.0 (i386) and I'm getting tons
>> of messages like this:
>>
>> S5: Pruned 25 sessions from cache. 2870 ssns for memcap:
>> 8387663/8388608
>> S5: Pruned 5 sessions from cache. 2877 ssns for memcap:
>> 8235241/8388608
>> S5: Pruned 20 sessions from cache. 2964 ssns for memcap:
>> 8388299/8388608
>> S5: Pruned 5 sessions from cache. 2959 ssns for memcap:
>> 8388559/8388608
>> S5: Pruned 5 sessions from cache. 2954 ssns for memcap:
>> 8387708/8388608
>> S5: Pruned 5 sessions from cache. 2947 ssns for memcap:
>> 8387840/8388608
>> S5: Pruned 70 sessions from cache. 2877 ssns for memcap:
>> 8387838/8388608
>> S5: Pruned 15 sessions from cache. 2862 ssns for memcap:
>> 8388366/8388608
>> S5: Pruned 25 sessions from cache. 2837 ssns for memcap:
>> 8388348/8388608
>> S5: Pruned 10 sessions from cache. 2827 ssns for memcap:
>> 8388233/8388608
>> S5: Pruned 5 sessions from cache. 2822 ssns for memcap:
>> 8387495/8388608
>> S5: Pruned 5 sessions from cache. 2817 ssns for memcap:
>> 8360849/8388608
>> S5: Pruned 5 sessions from cache. 2826 ssns for memcap:
>> 8388047/8388608
>> S5: Pruned 35 sessions from cache. 2793 ssns for memcap:
>> 8387029/8388608
>>
>> I've searched the archives, but have not found anything.
>>
>> Why am I getting these messages?
>> What do they mean?
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save
> $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757...un.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

--Apple-Mail-18--743636917
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; ">It means that you haven't =
allocated enough memory to stream5's memcap.  Basically when it =
hits the memcap limit due to trying to track too many sessions at once =
you need to raise the memcap limit until you stop getting those =
notifications.  Try doubling it for starters and see what =
happens.<div><br></div><div><span class=3D"Apple-tab-span" =
style=3D"white-space:pre"> =
</span>-Marty<br><div><br></div><div><br><div><div>On Apr 29, 2008, at =
1:52 PM, Joe S wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite">Correction: =
Running 2.8.1<br><br>   ,,_     -*> Snort! =
<*-<br>  o"  )~   Version 2.8.1 (Build 28) =
 FreeBSD<br>   ''''    By Martin Roesch =
& The Snort Team: <a =
href=3D"http://www.snort.org/team.html">http://www.snort.org/team.html</a>=
<br>         &n bsp; (C) =
Copyright 1998-2008 Sourcefire Inc., et al.<br> =
        &n bsp; Using PCRE =
version: 7.4 2007-09-21<br><br><br>On Tue, Apr 29, 2008 at 10:50 AM, Joe =
S <<a href=3D"mailto:js.lists@gmail.com">js.lists@gmail. com</a>> =
wrote:<br><blockquote type=3D"cite">I'm running Snort 2.8.0.1 on FreeBSD =
7.0 (i386) and I'm getting tons<br></blockquote><blockquote type=3D"cite">=
of messages like this:<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote type=3D"cite"> S5: Pruned 25 =
sessions from cache. 2870 ssns for memcap: =
8387663/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2877 ssns for memcap: =
8235241/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 20 =
sessions from cache. 2964 ssns for memcap: =
8388299/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2959 ssns for memcap: =
8388559/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2954 ssns for memcap: =
8387708/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2947 ssns for memcap: =
8387840/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 70 =
sessions from cache. 2877 ssns for memcap: =
8387838/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 15 =
sessions from cache. 2862 ssns for memcap: =
8388366/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 25 =
sessions from cache. 2837 ssns for memcap: =
8388348/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 10 =
sessions from cache. 2827 ssns for memcap: =
8388233/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2822 ssns for memcap: =
8387495/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2817 ssns for memcap: =
8360849/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 5 =
sessions from cache. 2826 ssns for memcap: =
8388047/8388608<br></blockquote><blockquote type=3D"cite"> S5: Pruned 35 =
sessions from cache. 2793 ssns for memcap: =
8387029/8388608<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote type=3D"cite"> I've searched =
the archives, but have not found anything.<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><blockquote type=3D"cite"> Why am I =
getting these messages?<br></blockquote><blockquote type=3D"cite"> What =
do they mean?<br></blockquote><blockquote =
type=3D"cite"><br></blockquote><br>---------------------------------------=
----------------------------------<br>This SF.net email is sponsored by =
the 2008 JavaOne(SM) Conference <br>Don't miss this year's exciting =
event. There's still time to save $100. <br>Use priority code J8TL2D2. =
<br><a =
href=3D"http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun=
..com/javaone">http://ad.doubleclick.net/clk;198757...8;p?http://ja=
va.sun.com/javaone</a><br>____________________________________________ ___<=
br>Snort-users mailing list<br><a =
href=3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.source=
forge.net</a><br>Go to this URL to change user options or =
unsubscribe:<br>https://lists.sourceforge.net/lists/listinfo/snort-users<b=
r>Snort-users list =
archive:<br>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users<br>=
</blockquote></div><br><div> <span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div>--<br>Martin Roesch - Founder/CTO, Sourcefire =
Inc. - +1-410-290-1616<br>Sourcefire - Security for the Real World =
- <a =
href=3D"http://www.sourcefire.com/">http://www.sourcefire.com</a><br>Snort=
: Open Source IDP - <a =
href=3D"http://www.snort.org/">http://www.snort.org</a></div></div></span>=
</div><br></div></div></body></html>=

--Apple-Mail-18--743636917--

--Apple-Mail-19--743636900
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgXYVQACgkQqj0FAQQ3KOCX4ACfS/XYup4NT/BKrVLB/br09ntp
jwAAn3CPq0rWIn698qFXZaPFZidbf7Ba
=ZEGb
-----END PGP SIGNATURE-----

--Apple-Mail-19--743636900--

--===============0057705590==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
--===============0057705590==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============0057705590==--

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode