Re: problem running snort 2.9.4 against a bridge interface (br0)

[Tony Robinson <deusexmachina667 () gmail com>]

Figured it out. This was a layer 8 problem. Apparently I never configured a
swap partition on my vm... even though the vm had free memory,  I added a
swap partition and everything is working fine.
On Dec 15, 2012 11:49 AM, "Tony Robinson" <deusexmachina667 () gmail com>
wrote:

> I've narrowed down the problem. It seems that this problem only occurs
> when I specify the -D command option to Daemonize snort.
>
> running snort against br0 as root or the snort user using my snort.conf
> works perfectly fine, but the moment I go to daemonize it, it doesn't want
> to fork a child process for snort.
>
> On Sat, Dec 15, 2012 at 12:35 AM, Tony Robinson <
> deusexmachina667 () gmail com> wrote:
>
> > I know that daq afpacket can handle bridging interfaces, but you should
> > still be able to run snort against a bridge interface in 2.9.4? Or was that
> > something I missed in the release notes?
> >
> > I'm running into a problem where snort was failing to start and failing
> > to write to Syslog. Undaunted, I attempt to start snort manually with the
> > following command syntax:
> > /usr/local/snort/bin/snort -D -u snort -g snort -c
> > /usr/local/snort/etc/snort.conf -i br0 (bro is bridging eth1 and eth2)
> > ..and I end up with the following error after the system tells me that it
> > made a process for snort:
> > Spawning daemon child...
> > fork: Cannot allocate memory
> >
> > I did google-fu this error before coming here and most articles seem to
> > point towards "not enough memory on system" or "are you on a VPS?"
> >
> > -System is running in a virtual machine (ESXi 5.0.0)
> > -System is running on Ubuntu 12.04 64-bit with 1gb of memory (virtual
> > machine)
> > -System had 800mb+ of free memory when command execution begins (running
> > "watch free -m")
> > -Drops down to 300mb of free memory before getting the error above and
> > just giving up on starting or writing to the log or spawning the process
> > (again, "watch free -m"), still plenty of memory for it to try to claim
> > -the last lines in the log are:
> > CG snort[1448]: pcap DAQ configured to passive.
> > CG snort[1448]: Acquiring network traffic from "br0".
> > CG snort[1448]: Initializing daemon mode
> > ..then nothing else from snort in the logs. No warns, no FATALs, nothing.
> > -ran ulimit -a for the root user and the snort user to verify that I'm
> > not putting any artificial resource limits on the snort user or root user.
> > both snort and the root user have access to "unlimited" resources.
> >
> >
> > I'm at a loss as to why this is happening. Just to ensure that the
> > problem wasn't with me trying to run snort against a bridge interface, I
> > configured snort to run against eth1 instead, resulting in the same error.
> > This problem also occurs after a reboot (I rebooted the box because some
> > windows habits die hard.)
> >
> > I have an strace on my system from running this command, but wanted to
> > post here to see if maybe this was a known bug, issue, or if this is even
> > an issue/bug at all and I'm just 'doing it wrong' before bothering to post
> > it.
> >
> > OS: ESXi 5.0.0
> > VM: Ubuntu 12.04 64-bit
> > Snort 2.9.4 (text rules from 2931 registered users snapshot; configured
> > via pulled pork (security ruleset); NO SO rules enabled(pp with -T option);
> > compiled with --prefix=/usr/local/snort --enable-sourcefire and no other
> > options)
> >
> >
> > I have another Ubuntu 12.04 vm (32-bit) configured to listen against eth1
> > and do not experience this problem at all.
> >
> > Any ideas?
> >
> > DA
> >
> > --
> > when does reality end? when does fantasy begin?
>
>
>
> --
> when does reality end? when does fantasy begin?
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!