Snort mailing list archives
snort >= 2.1.2 on OpenBSD -current and memory limits
From: Jon Hart <warchild () spoofed org>
Date: Tue, 27 Apr 2004 22:53:45 -0400
Hi,
I've rambled about this problem on and off in #snort a few times.
I'm running OpenBSD 3.5 -current, and I've tried both Snort 2.1.2 from
ports and 2.1.2 and 2.1.3RC1 from source. My snort.conf is mostly
default, the only exception being I'm using some of the rule files that
are disabled by default.
The problem is this:
FATAL ERROR: No memory in mwmPrephashedPatternGroups() Try
uncommenting the "config detection: search-method"in snort.conf
I'd much rather not settle for a sub-optimal search method. This
machine has 256M of RAM (plus 256M of swap), and does little else except
some light firewall duties. Something somewhere is killing snort,
because once is tries to malloc() more than 64M in total, further
malloc()s fail. It just so happens that this particular malloc() is in
sfutil/mwm.c.
A week or more ago I thought I had it figured out. /etc/login.conf
looked to be imposing memory limits on the group that my snort user was
in, so I bumped it up higher. This worked for a bit until I updated my
ruleset. As luck would have it, the additional rules again bumped me up
over some memory limit, and once again the same malloc() is failing.
Now regardless of how high I put the limits, the malloc still fails.
I can verify this by running some simple C code that mallocs ~64M of
memory. It'll fail. It will also fail if I run the same code as root,
which makes me think that /etc/login.conf is no longer at fault. I
recall earlier this week on the OpenBSD lists one of the developers
talking about memory (stack?) limitations on the Sparc, and that they
would never go over 8M. This makes me think that somewhere there is a
memory limit I don't know about.
So.... does anyone here use Snort on a truly current openbsd box? If
so, what did you do to get it to work.
Thanks,
-jon
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 27)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 30)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (May 10)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 30)