Snort mailing list archives
Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Apr 2002 16:26:23 -0700 (PDT)
On Tue, 16 Apr 2002, Jerome Magnin wrote: [Comments inline]
I m running two instances of snort on the same interface of my firewall to monitor all the traffic to a honeypot. my firewall has 3 nics, one for the adsl modem, one for the lan (100) and one for the honeynet (100) the cpu is a 166MHz k6 and the amount of RAM is 32MB
From your error, I think you're running out of memory. Consider what the OBSD
kernel will use, then on top of that, add on what 2 instances of snort will use. With your 'default' configs, stream4 allocates 8mb per instance, leaving only 16mb for the OS, Firewall, and rest of snort to use.
I have almost the default configuration (see below) and I use these two command lines: /usr/local/bin/snort -c /usr/local/etc/snort/snort-hp.conf -A fast -i xl0 -D /usr/local/bin/snort -dvi xl0 -D -b
If you are using -b you do not need to ever use -v or -d. You're telling it to log each packet to STDOUT and decode the packets while logging to binary. Binary logging logs the full packet for later readback and examination. I'd suggest changing that to "-i xl0 -D -b" instead.
if I do a full portsscan of the honeypot from a workstation within my lan, the fw crashes and reboots the message displayed is: panic: malloc: out of space in kmem_map my questions are: 1- is it possible to have a dump of _all_ the traffic and not just logged packets PLUS "real time" alerts with a single snort process?
Sure. Add a "log any" rule to the .conf for the honeypot. Better yet, go and check out Lance Spitzers config for honeypots at: http://project.honeynet.org/papers/honeynet/snort.conf
2- is my problem a known problem and if yes, what is the workaround if any?
No, not known. Seems to be your setup.
3- is it a snort issue or an openbsd issue?
I'm guessing it's hardware. I'd guess there's just not enough memory left on the box to keep track of all the streams of data coming in and reassemble them all. Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.6 crashing when running two instances on the same interface with Openbsd Jerome Magnin (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Erek Adams (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Chris Green (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Andreas Östling (Apr 16)