Snort mailing list archives
Re: snort: FATAL ERROR: Unable to allocate memory!
From: Alex Kirk <alex.kirk () sourcefire com>
Date: Mon, 20 Dec 2004 09:09:51 -0500
Zulkurnain,Well, judging from what you've posted of dmesg and /var/log/all.log, it's pretty obvious that you've got plenty of memory for Snort to be running in, and that you've got at least some of the basics properly configured (i.e. Snort will run for at least a little while).
Given this, I'd suggest looking into what Prabu had suggested (my apologies if that's your last name or if I've otherwise mangled it); that sounds like a likely candidate for the source of your problem. Additionally, you'll want to make sure you've properly configured your $HOME_NET and $EXTERNAL_NET variables, so that Snort can look at only packets that are relevant instead of all of them (not setting these two is an excellent way to chew up large chunks of memory); also, you may want to disable rules that aren't relevant to your network, i.e. oracle.rules if you've not got any Oracle servers.
Alex Kirk Research Analyst Sourcefire. Inc.
Alex Kirk wrote:* dmesg for the boxes this is occuring on (perhaps they just simply don't have enough RAM to cope with what you're trying to do, there's a driver problem, etc.)dmesg | more ..... i just add some more memory to the box...i also paste error message from /var/log/all.log (below).... if anybody know what is going wrong, pls let me know...------------------- OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004 deraadt () i386 openbsd org:/usr/src/sys/arch/i386/compile/GENERICcpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 449 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE cpu0: disabling processor serial number real mem = 402227200 (392800K) avail mem = 366387200 (357800K) using 4278 buffers containing 20213760 bytes (19740K) of memory mainbus0 (root)bios0 at mainbus0: AT/286+(b7) BIOS, date 05/19/99, BIOS32 rev. 0 @ 0xfd7a0apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev. 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #1 is the last busbios0: ROM list: 0xc0000/0x8000 0xc8000/0x4800 0xe0000/0x4000! 0xe4000/0xc000pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 -------------------------* All the messages from /var/log/message surrounding this error (in case there are other things which are leading up to this problem)tail from /var/log/all.log...snort only running about 30 minutes... -------------Dec 20 09:54:56 ids1 snort: [1:553:7] POLICY FTP anonymous login attempt [Classification: Misc activity] [Priority: 3]: <fxp0> {TCP} 217.196.121.21:3117 -> xxx.xxx.xxx.xxx:21 Dec 20 09:55:56 ids1 snort: [1:2003:7] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: <fxp0> {UDP} 61.156.8.111:1240 -> xxx.xxx.xxx.xxx:1434 Dec 20 09:55:56 ids1 snort: FATAL ERROR: Unable to allocate memory! (8193 requested)Dec 20 10:00:01 ids1 cron[4705]: (root) CMD (/usr/bin/newsyslog)Dec 20 10:00:01 ids1 cron[6273]: (root) CMD (/usr/sbin/sendmail -L sm-msp-queue -Ac -q)-------------------------------I can't guarantee I can solve this, but I'd be happy to give it a shot. Alex Kirk Research Analyst Sourcefire, Inc. [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort: FATAL ERROR: Unable to allocate memory! Zulkurnain (Dec 17)
- Re: snort: FATAL ERROR: Unable to allocate memory! Alex Kirk (Dec 17)
- Re: snort: FATAL ERROR: Unable to allocate memory! Zulkurnain (Dec 25)
- Re: snort: FATAL ERROR: Unable to allocate memory! Alex Kirk (Dec 20)
- Re: snort: FATAL ERROR: Unable to allocate memory! Zulkurnain (Dec 30)
- Re: snort: FATAL ERROR: Unable to allocate memory! Zulkurnain (Dec 25)
- Re: snort: FATAL ERROR: Unable to allocate memory! Alex Kirk (Dec 17)
- Re: snort: FATAL ERROR: Unable to allocate memory! Senthil Prabu.S (Dec 18)