Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 2 subscribers
  • Views 22876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Seeing Session exceeded configured max bytes to queue in IPS logs.

Coder68
over 4 years ago

I am seeing this in my IPS logs and it would seem to be related to streaming video, but I am not sure. I checked my threat intel for these IP's and it is a mixed bag. Does anyone have any insight to what is going on?

2016:08:18-02:41:26 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1049904 bytes (client queue). WAN-IP 43299 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:12 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43303 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:36 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43304 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:57 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43305 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1049648 bytes (client queue). WAN-IP 46711 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:50 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46715 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:34 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46717 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:59 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46718 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-11:50:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 49416 --> 198.78.216.253 80 (0) : LWstate 0x9 LWFlags 0x406007

Thank you,

C68



This thread was automatically locked due to age.
  • 0 over 4 years ago

    Hey, Coder, good to see you around again!

    This is really just another example of the UTM being "chatty" in the logs.  It's just warning that it's having to do extra work because some packets are too large for the default queue length.  If you have a lot of unused memory in your UTM, you can double the size with:

    cc set ips snortsettings max_queued_bytes 2097152

    If your system is tight on RAM, increasing max_queued_bytes will slow Snort down.  If you want to set it back to the default:

    cc set ips snortsettings max_queued_bytes 0

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 over 4 years ago in reply to BAlfson

    For some reason, this no longer works in 9.407.  Perhaps the underlying issue has been addressed???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 over 4 years ago in reply to BAlfson

     Hi Bob,

     

    i've tried to enable IPS on my sg125w with 9.407-3 ( just activated the related attack patterns with a rule age of >6 months) and got the same error as stated above in my log files.

     

    ~ Dave

    Cheers, Dave

    • I love the smell of IT in the morning.
  • 0 over 4 years ago

    Hi C68,

    Try this, SSH to UTM and execute.

    cc set ips queue_length 8192

    Increasing queue_lenth will result in higher value for memcap eventually, more packets can be scanned through it. Also, refer the document here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 over 4 years ago in reply to sachingurung

    Hi Sachingurung,

     

    i've tried the "cc set ips queue_length 8192" but still my UTM tells me that the "bash: cc: command not found".

    (And yes, i am running the command as root :) )

    Cheers, Dave

    • I love the smell of IT in the morning.
  • 0 over 4 years ago in reply to The_Deef

    Hi David,

    The command runs perfect on my end. My UTM v 9.407-3.

    FYI-

    loginuser@10:/home/login > su
    Password:
    10:/home/login # cc set ips queue_length 8192
    1

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 over 4 years ago in reply to sachingurung

    Hi sachingurung,

     

    Oh it works when i use su and not sudo su (old habbit of mine).

    Maybe the elevated loginuser has not enough rights to execute the command....

    Thanks a lot!

    Cheers, Dave

    • I love the smell of IT in the morning.
Unfiltered HTML