khan wrote

I sorta fixed the problem but honestly, I'm not sure if it's the right solution (Just don't know what the heck I'm
doing. First time installing snort)

I did two things:

  1.  I had 4 ports spanned to snort's monitoring promiscuous interface. Snort's switch interface had tons of packet
drops. Way too much traffic which I believe contribute to buffering overflow. Also, with tons of dropped packets snort
is not able to see RX and TX in order to analyze traffic? (Don't know for sure but still researching. I don't know what
info snort requires in order to analyze traffic. Does it require a complete established sessions before analyzing? For
testing purposes, I removed stream5_tcp: 'requires_3whs' (3 way handshakes) but that didn't help). In any case, having
one span port to snort alleviates helps a lot. Dropping tons of packets is never a good thing :)
  2.  I've also changed and added the following parameters (in red below) in /etc/snort/snort.conf. Max_queued_bytes
and max_queued_segs seems to help a lot to remove these messages. My box has tons of memory so I figured 80MB and 40MB
respectively should be ok.

# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
memcap 1073741824, \
max_tcp 1048576, \
max_udp 1048576, \
prune_log_max 1073741824, \
max_active_responses 4, \
min_response_seconds 6
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, max_queued_bytes 90485760, max_queued_segs 40485760, \