Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question

From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Mon, 25 Jul 2011 09:37:27 -0500
Good info. I am running in AC.  For now I am running without the buffers. I'll take the packet loss over having snort 
stop running. I guess I will reevaluate my rule set to get that trimmed up.....until snort can multi thread....God I 
can't wait until that. 

config detection: search-method ac search-optimize

preprocessor frag3_global: max_frags 75536, memcap 143654912

preprocessor stream5_global: memcap 134217728, max_tcp 1048576, track_tcp yes, track_udp yes, track_icmp no 
max_active_responses 2 min_response_seconds 5,


Thanks again for all your help!

-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Saturday, July 23, 2011 12:19 AM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

Ring buffer memory is only a buffer, and a buffer will eventually fail if the CPU cannot keep up the traffic.  No 
matter how large the buffer, eventually it will run out because it's in a losing game.  A large buffer just buys you a 
few seconds before the packet loss.  One thing a lot of RAM will get you is the ability to run ac for your pattern 
matching engine instead of ac-split.  That will increase performance and might let your CPU keep up.


1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss.  
However the snort process just "disappears/stops after 24 hours" with no logs as to why.


Sounds like a cron job is killing it.


2. When I start without the variables Snort is stable but I get an average of 25% packet loss.


As I understand it, PF_RING won't use those variables anyway.  To get a look, cat /proc/net/pf_ring/<file for snort 
pid> which should give you the best numbers.



Again I have 12GB of memory on this R710. I can't image why its running out of memory.  And the fact that its been 
running fine for a year is what's killing me. It has to be a rule causing this.

7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory!

PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c 
/etc/snort/snort.conf -i eth1 -D


I don't think it's actually running out of memory or can't allocate it, I think it's a different problem.  What are 
your daq config variables?

------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: