This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Seeing Session exceeded configured max bytes to queue in IPS logs.

I am seeing this in my IPS logs and it would seem to be related to streaming video, but I am not sure. I checked my threat intel for these IP's and it is a mixed bag. Does anyone have any insight to what is going on?

2016:08:18-02:41:26 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1049904 bytes (client queue). WAN-IP 43299 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:12 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43303 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:36 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43304 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-02:42:57 mynet snort[32596]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 43305 --> 209.84.29.253 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1049648 bytes (client queue). WAN-IP 46711 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:47:50 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46715 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:34 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46717 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-08:48:59 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 46718 --> 8.27.81.126 80 (0) : LWstate 0x9 LWFlags 0x406007
2016:08:18-11:50:26 mynet snort[32600]: S5: Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). WAN-IP 49416 --> 198.78.216.253 80 (0) : LWstate 0x9 LWFlags 0x406007

Thank you,

C68



This thread was automatically locked due to age.
Parents
  • Hey, Coder, good to see you around again!

    This is really just another example of the UTM being "chatty" in the logs.  It's just warning that it's having to do extra work because some packets are too large for the default queue length.  If you have a lot of unused memory in your UTM, you can double the size with:

    cc set ips snortsettings max_queued_bytes 2097152

    If your system is tight on RAM, increasing max_queued_bytes will slow Snort down.  If you want to set it back to the default:

    cc set ips snortsettings max_queued_bytes 0

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • For some reason, this no longer works in 9.407.  Perhaps the underlying issue has been addressed???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  Hi Bob,

     

    i've tried to enable IPS on my sg125w with 9.407-3 ( just activated the related attack patterns with a rule age of >6 months) and got the same error as stated above in my log files.

     

    ~ Dave

    Cheers, Dave

    • I love the smell of IT in the morning.
Reply
  •  Hi Bob,

     

    i've tried to enable IPS on my sg125w with 9.407-3 ( just activated the related attack patterns with a rule age of >6 months) and got the same error as stated above in my log files.

     

    ~ Dave

    Cheers, Dave

    • I love the smell of IT in the morning.
Children
No Data