Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: S5 and memcap default setting

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 14 Sep 2011 17:30:41 +0000
On 9/14/2011 3:41 PM, Eoin Miller wrote:

Upgraded to Snort 2.9.1 finally and having some weird issues where
it seems to randomly die.


Could just be memory use issues when I copied the same new conf
between on the 32bit and 64bit systems. I was specifying a daq buffer
of 384mb on all systems and previously I was doing:

32bit: 192mb
64bit: 384mb

It looks like as buffers get larger depending on the amount of load at
the time, then the process will attempt to address more memory than
allowed by the limit of the kernel or architecture?

/var/log/messages:
---SNIP---
Sep 14 13:13:53 nids-egress-frr kernel: Out of memory: Killed process
19792, UID 2, (snort).
---SNIP---


---SNIP---
[ Number of patterns truncated to 20 bytes: 2764 ]
afpacket DAQ configured to passive.
Acquiring network traffic from "bond0".
Reload thread starting...
Reload thread started, thread 0x9c58eb90 (19792)
Set gid to 2
Set uid to 2

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.02 2010-03-19
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15
<Build 18>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1
<Build 1>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2
<Build 13>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
Commencing packet processing (pid=19792)
Decoding Ethernet
Killed
---SNIP---

I've scaled back the size of the buffer for the daq (using afpacket)
to see if that fixes the issue. I'm pretty sure I remember running
into this previously. Don't know if there is anything that should be
done to prevent the process from getting killed off by the kernel or
not though? Would require some sort of memory utilization and deciding
on which buffers were more important that others or something.
Probably a bit of a PITA. FYI, this was happening before I upped the
amount of memory from 8mb to 32mb for Stream5 preproc memcap.

-- Eoin

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: