Re: Question

[Martin Holste <mcholste () gmail com>]

The packet loss is a separate tuning issue.  That probably means
things are working.  Run Snort configured with just a few rules that
hit often to test it and look at your packet loss then.  If you are
monitoring more than a few hundred MB/sec and you are running more
than 1000 rules, I guarantee you will be dropping packets.

On Thu, Jul 21, 2011 at 10:53 AM, Gibson, Nathan J. (HSC)
<Nathan-Gibson () ouhsc edu> wrote:
> I reboot weekly.  No I don't get the errors when I remove the environment variables but I get tremendous packet loss.
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste () gmail com]
> Sent: Monday, July 18, 2011 3:21 PM
> To: Gibson, Nathan J. (HSC)
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Question
>
> And you get the same error trying to run snort when you leave the environment variables off?
>
> On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:
> > Mem:  12462404k total,   470188k used, 11992216k free,     1056k
> >
> >
> > It shows I have 12GB
> > -----Original Message-----
> > From: Martin Holste [mailto:mcholste () gmail com]
> > Sent: Monday, July 18, 2011 12:10 PM
> > To: Gibson, Nathan J. (HSC)
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Question
> >
> > That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory.  Are you sure 
> > you're not low in RAM for the box?  That might also be a product of using PCAP_MEMORY=6120.
> > Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf 
> > settings control it).
> >
> > On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:
> > > I have been running snort for over a year now. Nothing has changed in
> > > my configuration (except new rules). I have been running the same
> > > rule categories for a year. All of the sudden (about a month ago)
> > > snort started randomly stopping with no apparent errors in the logs.
> > > The only error I get is when I try to restart snort I get the following error.
> > >
> > >
> > >
> > > 7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1)
> > > - can't mmap rx ring: Cannot allocate memory!
> > >
> > >
> > >
> > >
> > >
> > > As I said the only variable I have are the actual rules that are
> > > updated from ET and Sourcefire. Could a rule be causing this?
> > >
> > >
> > >
> > > Here are the stats on my snort config:
> > >
> > >
> > >
> > >
> > >
> > >    ,,_     -*> Snort! <*-
> > >
> > >   o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
> > >
> > >    ''''    By Martin Roesch & The Snort Team:
> > > http://www.snort.org/snort/snort-team
> > >
> > >            Copyright (C) 1998-2011 Sourcefire, Inc., et al.
> > >
> > >            Using libpcap version 1.1.1
> > >
> > >            Using PCRE version: 6.6 06-Feb-2006
> > >
> > >            Using ZLIB version: 1.2.3
> > >
> > >
> > >
> > >
> > >
> > > PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c
> > > /etc/snort/snort.conf -i eth1 -D
> > >
> > >
> > >
> > >
> > >
> > > top - 09:41:21 up 2 days, 24 min,  1 user,  load average: 0.14, 0.24,
> > > 0.22
> > >
> > > Tasks: 383 total,   1 running, 382 sleeping,   0 stopped,   0 zombie
> > >
> > > Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.6%id,  0.0%wa,  0.0%hi,
> > > 0.0%si, 0.0%st
> > >
> > > Mem:  12462404k total,   470188k used, 11992216k free,     1056k
> > > buffers
> > >
> > > Swap:  1020116k total,        0k used,  1020116k free,   260968k
> > > cached
> > >
> > > ---------------------------------------------------------------------
> > > -
> > > -------- AppSumo Presents a FREE Video for the SourceForge Community
> > > by Eric Ries, the creator of the Lean Startup Methodology on "Lean
> > > Startup Secrets Revealed." This video shows you how to validate your
> > > ideas, optimize your ideas and identify your business strategy.
> > > http://p.sf.net/sfu/appsumosfdev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please see http://www.snort.org/docs for documentation

------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation