Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
I am seeing this in my IPS logs and it would seem to be related to streaming video, but I am not sure. I checked my threat intel for these IP's and it is a mixed bag. Does anyone have any insight to what is going on?
Hey, Coder, good to see you around again!
This is really just another example of the UTM being "chatty" in the logs. It's just warning that it's having to do extra work because some packets are too large for the default queue length. If you have a lot of unused memory in your UTM, you can double the size with:
cc set ips snortsettings max_queued_bytes 2097152
If your system is tight on RAM, increasing max_queued_bytes will slow Snort down. If you want to set it back to the default:
cc set ips snortsettings max_queued_bytes 0
Cheers - Bob
For some reason, this no longer works in 9.407. Perhaps the underlying issue has been addressed???
i've tried to enable IPS on my sg125w with 9.407-3 ( just activated the related attack patterns with a rule age of >6 months) and got the same error as stated above in my log files.
Try this, SSH to UTM and execute.
cc set ips queue_length 8192
Increasing queue_lenth will result in higher value for memcap eventually, more packets can be scanned through it. Also, refer the document here.
Sachin Gurung Team Lead | Sophos Technical Support Knowledge Base | @SophosSupport | Video tutorials Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
i've tried the "cc set ips queue_length 8192" but still my UTM tells me that the "bash: cc: command not found".
(And yes, i am running the command as root :) )
The command runs perfect on my end. My UTM v 9.407-3.
loginuser@10:/home/login > suPassword:10:/home/login # cc set ips queue_length 81921
Oh it works when i use su and not sudo su (old habbit of mine).
Maybe the elevated loginuser has not enough rights to execute the command....
Thanks a lot!