Snort mailing list archives
Re: Memory Issue?
From: Phil Wood <cpw () lanl gov>
Date: Tue, 12 Nov 2002 10:29:58 -0700
On Tue, Nov 12, 2002 at 09:15:35AM -0500, Chris Green wrote:
"Frank Reid" <fcreid () ourcorner org> writes:I've been running snort on Mandrake 8.2 (2.4 kernel) for about 18 months, and it's been great. I use the standard rule sets and log alerts to a local MySQL database (3.23.53a). Yesterday, I updated Snort from CVS (2.0.0beta Build 33) and started seeing strange behavior. This may have been the first 2.0beta I pulled from CVS. Anyway, as soon as I trigger an alert against the network (something that Snort would normally catch and log), I'm seeing this error: kernel: __alloc_pages: 0-order allocation failed (gfp0x1d2/0)Are you out of memory? 2.0.0 uses a lot more memory on normal than other snorts.
Great! I'm the one that uses memory with my pcap ring buffer, now you come along and double it! Good thing I got some (hardware memory, that is). I'm only running: Version 2.0.0beta (Build 13) 30048 root 19 0 109M 43M 1016 R 50.1 1.1 80:22 snort 30047 root 17 0 78572 10M 988 R 33.6 0.2 59:54 snort 30044 root 14 0 111M 45M 1216 R 15.7 1.1 28:16 snort 30042 root 9 0 105M 39M 1024 S 4.1 1.0 14:54 snort Still got a little left: Mem: 3932296K av, 2778620K used, 1153676K free, 0K shrd, 37020K buff Haven't started to drop packets today. But, that is standard for one of the sensors. The bg and by sensors look at two different networks. The mm sensor is geared to look for more critical stuff to/from the entire network space. Sensor bg is enabled, using PID 30042 ? S 15:07 /data/pw/bin/snort Datafile: 12679778 Nov 12 10:16 /data/pw/log/green/bg20021112.0000 Datafile: 122 Nov 12 08:20 /data/pw/log/green/bg20021112.0000.alert S: 10:16:43, 20232417 packets processed at 546.62 pps in 37013 seconds, with 0 drops. Sensor by is enabled, using PID 30048 ? R 82:31 /data/pw/bin/snort Datafile: 93680703 Nov 12 10:16 /data/pw/log/yellow/by20021112.0000 Datafile: 661108 Nov 12 10:16 /data/pw/log/yellow/by20021112.0000.alert S: 10:16:43, 146836466 packets processed at 3967.09 pps in 37013 seconds, with 0 drops. Sensor mm is enabled, using PID 30047 ? R 61:22 /data/pw/bin/snort Datafile: 590609 Nov 12 10:16 /data/pw/log/serious/mm20021112.0000 Datafile: 734851 Nov 12 10:16 /data/pw/log/serious/mm20021112.0000.alert S: 10:16:42, 174839527 packets processed at 4723.80 pps in 37012 seconds, with 0 drops. Looks like I might need to tread carefully, if it's not a memory problem. I'm going to upgrade to the latest and see if my memory requirements change or I crash on the first alert. PS: The fact that I run multiple sensors is why I pushed for the 'R' option. My /var/run directory looks like this: % ls /var/run/*eth* /var/run/snort_eth2-bg.pid /var/run/snort_eth2-mm.pid /var/run/snort_eth2-by.pid /var/run/tcpdump_eth2-xy.pid
-- Chris Green <cmg () sourcefire com> To err is human, to moo bovine. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd522.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT Performance Issues !!!!!!!! Atul Shrivastava (Nov 12)
- Memory Issue? Frank Reid (Nov 12)
- Re: Memory Issue? Chris Green (Nov 12)
- Re: Memory Issue? Phil Wood (Nov 12)
- Re: Memory Issue? Chris Green (Nov 12)
- Memory Issue? Frank Reid (Nov 12)