Snort mailing list archives
Re: S5 and memcap default setting
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 14 Sep 2011 17:30:41 +0000
On 9/14/2011 3:41 PM, Eoin Miller wrote:
Upgraded to Snort 2.9.1 finally and having some weird issues where it seems to randomly die.
Could just be memory use issues when I copied the same new conf between on the 32bit and 64bit systems. I was specifying a daq buffer of 384mb on all systems and previously I was doing: 32bit: 192mb 64bit: 384mb It looks like as buffers get larger depending on the amount of load at the time, then the process will attempt to address more memory than allowed by the limit of the kernel or architecture? /var/log/messages: ---SNIP--- Sep 14 13:13:53 nids-egress-frr kernel: Out of memory: Killed process 19792, UID 2, (snort). ---SNIP--- ---SNIP--- [ Number of patterns truncated to 20 bytes: 2764 ] afpacket DAQ configured to passive. Acquiring network traffic from "bond0". Reload thread starting... Reload thread started, thread 0x9c58eb90 (19792) Set gid to 2 Set uid to 2 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.1 IPv6 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.02 2010-03-19 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1> Commencing packet processing (pid=19792) Decoding Ethernet Killed ---SNIP--- I've scaled back the size of the buffer for the daq (using afpacket) to see if that fixes the issue. I'm pretty sure I remember running into this previously. Don't know if there is anything that should be done to prevent the process from getting killed off by the kernel or not though? Would require some sort of memory utilization and deciding on which buffers were more important that others or something. Probably a bit of a PITA. FYI, this was happening before I upped the amount of memory from 8mb to 32mb for Stream5 preproc memcap. -- Eoin ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- S5 and memcap default setting Eoin Miller (Sep 14)
- Re: S5 and memcap default setting Eoin Miller (Sep 14)