Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Seeing Session exceeded configured max bytes to queue in IPS logs.

I am seeing this in my IPS logs and it would seem to be related to streaming video, but I am not sure. I checked my threat intel for these IP's and it is a mixed bag. Does anyone have any insight to what is going on?

2016:08:18-02:41:26 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1049904 bytes (client queue). WAN-IP 43299 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:12 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43303 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:36 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43304 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:57 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43305 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1049648 bytes (client queue). WAN-IP 46711 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:50 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46715 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:34 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46717 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:59 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46718 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-11:50:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 49416 --> 198.78.216.253 80 (0) : LWstate 0x9 LWFlags 0x406007

Thank you,

C68



This thread was automatically locked due to age.
  • Hey, Coder, good to see you around again!

    This is really just another example of the UTM being "chatty" in the logs.  It's just warning that it's having to do extra work because some packets are too large for the default queue length.  If you have a lot of unused memory in your UTM, you can double the size with:

    cc set ips snortsettings max_queued_bytes 2097152

    If your system is tight on RAM, increasing max_queued_bytes will slow Snort down.  If you want to set it back to the default:

    cc set ips snortsettings max_queued_bytes 0

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • For some reason, this no longer works in 9.407.  Perhaps the underlying issue has been addressed???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  Hi Bob,

     

    i've tried to enable IPS on my sg125w with 9.407-3 ( just activated the related attack patterns with a rule age of >6 months) and got the same error as stated above in my log files.

     

    ~ Dave

    Cheers, Dave

    • I love the smell of IT in the morning.
  • Hi C68,

    Try this, SSH to UTM and execute.

    cc set ips queue_length 8192

    Increasing queue_lenth will result in higher value for memcap eventually, more packets can be scanned through it. Also, refer the document here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachingurung,

     

    i've tried the "cc set ips queue_length 8192" but still my UTM tells me that the "bash: cc: command not found".

    (And yes, i am running the command as root :) )

    Cheers, Dave

    • I love the smell of IT in the morning.
  • Hi David,

    The command runs perfect on my end. My UTM v 9.407-3.

    FYI-

    loginuser@10:/home/login > su
    Password:
    10:/home/login # cc set ips queue_length 8192
    1

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi sachingurung,

     

    Oh it works when i use su and not sudo su (old habbit of mine).

    Maybe the elevated loginuser has not enough rights to execute the command....

    Thanks a lot!

    Cheers, Dave

    • I love the smell of IT in the morning.