Solved: Warning: table size limit exceeded

mhellman · ‎12-01-2005

Noticed this error event on a sensor. I got the same ones for sigs 5378-0,5488-0,5528-0,5476-0.5557-0,5687-0,5524-0.

What does it mean?

evError: eventId=1130169990404666072 vendor=Cisco severity=warning

originator:

hostId: 02-evlan-c7

appName: sensorApp

appInstanceId: 355

time: December 1, 2005 7:10:08 PM UTC offset=-360 timeZone=GMT-06:00

errorMessage: Warning Table Size Limit Exceeded by Sig 5378.0. Additional table will be created. name=errUnclassified

marcabal · ‎12-01-2005

These warnings are primarily just informational, and do not constitute an error that the user needs to worry about.

When signatures are added to the sensor, the sensor will compile the signatures together into a large regular expression cache table. This greatly speeds up analysis. The cache table, however, has a limited size. When adding a signature to the cache table would grow the table beyond the allowed size, then you will see the warning that you posted above.

All this warning lets you know is that it couldn't add that signature to the existing table, and so it must create a new table for that signature and the signatures following it.

This primarily just debugging information for signature developers so they can track what is happening as signatures are being added.

The sensor is operating correctly and will function just fine. The addition of the new table just adds a very small performance decrease because an additional table will have to be analyzed during packet analysis.

Users running with the default signature settings would never need to worry about this message and can consider it just some logging information (it really should have been a status message rather than a error message)

Users who are unretiring signatures or creating their own custom signatures may see this message as they configure their sensors. If so then it os letting them know that additional cache tables are having to be created to handle the additional signatures. Once again just information and not a real error.

View solution in original post

marcabal · ‎12-01-2005

These warnings are primarily just informational, and do not constitute an error that the user needs to worry about.

When signatures are added to the sensor, the sensor will compile the signatures together into a large regular expression cache table. This greatly speeds up analysis. The cache table, however, has a limited size. When adding a signature to the cache table would grow the table beyond the allowed size, then you will see the warning that you posted above.

All this warning lets you know is that it couldn't add that signature to the existing table, and so it must create a new table for that signature and the signatures following it.

This primarily just debugging information for signature developers so they can track what is happening as signatures are being added.

The sensor is operating correctly and will function just fine. The addition of the new table just adds a very small performance decrease because an additional table will have to be analyzed during packet analysis.

Users running with the default signature settings would never need to worry about this message and can consider it just some logging information (it really should have been a status message rather than a error message)

Users who are unretiring signatures or creating their own custom signatures may see this message as they configure their sensors. If so then it os letting them know that additional cache tables are having to be created to handle the additional signatures. Once again just information and not a real error.

mhellman · ‎12-01-2005

Thanks for your very detailed response. I do have a question though. I only have 1 custom signature on this sensor, and it is a slightly modified duplicate of the "malicious email attachment" signature (don't have the sigid handy). That cisco supplied sig was disabled. I have however enabled pretty much every other sig on the sensor (and then disabled many through the tuning process). Would simply enabling all signatures cause this message?

Matt

marcabal · ‎12-02-2005

Depends on the version of the sensor.

In version 4.1 if a signature (custom or Cisco created) was enabled the signature was added to the regex cache table, and could cause additional cache tables to be created.

If a signature was disabled, then it can't really remove it from the existing cache tables. Instead the sensor has to build new cache tables from scratch without that signature in it. This could cause that message as the cache table process has to be redone.

In version 5.0 this method changed slightly.

We have a new parameter retired/unretired.

Unretiring a signature will add the signature to the cache files (whether or not is enabled or disabled).

Retiring a signature will cause new cache files to be created without that signature. (The signature won't be analyzed even if enabled).

So in version 4.1 enabling all signature would cause signatures to be added to the cache files and could cause additional cache files to be created and you receive that warning.

In version 5.0 enabling all signatures will have little affect on the cache files. Because the cache files are based on Unretired signatures regardless of whether or not they are enabled.

Now unretiring all signatures would cause new cache files to be created and you receive that warning.