This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Session exceeded configured max bytes to queue in IPS logs

Hi, I have read up many posts and for my case I am seeing the warning messages from IPS logs as well:

2019:10:18-09:57:01 dph-utm snort[20679]: S5: Pruned session from cache that was using 1060717 bytes (stale/timeout). x.x.x.x 62993 --> x.x.x.x 80 (0) : LWstate 0x9 LWFlags 0xe007

2019:10:18-13:12:01 dph-utm snort[20679]: S5: Session exceeded configured max bytes to queue 2621440 using 2626899 bytes (client queue). x.x.x.x 64743 --> x.x.x.x 80 (0) : LWstate 0x9 LWFlags 0x6007

Initially there were more of such messages but after increasing the max queue byte size and queue length, the warning messages frequency reduced but does not go away entirely. Does anyone here face the same issue?

cc set ips snortsettings max_queued_bytes 2621440

cc set ips queue_length 8192

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/79574/seeing-session-exceeded-configured-max-bytes-to-queue-in-ips-logs

This thread was automatically locked due to age.

Parents

0 Jaydeep over 5 years ago

Hi jn01

This error message appears when the data is larger than the buffer capacity. It is likely to happen in small devices or Virtual platforms. Have you seen any user impact due to this?

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jaydeep over 5 years ago

Hi jn01

This error message appears when the data is larger than the buffer capacity. It is likely to happen in small devices or Virtual platforms. Have you seen any user impact due to this?

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data