Snort mailing list archives

snort 1.8.6 crashing when running two instances on the same interface with Openbsd

From: Jerome Magnin <jethro () ebat org>
Date: Tue, 16 Apr 2002 00:35:34 +0200

Hi,

I am running snort 1.8.6 on openbsd 3.0 generic

$ uname -a
OpenBSD beast 3.0 GENERIC#94 i386
$ /usr/local/bin/snort -V                                                                                     

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
$ 

I m running two instances of snort on the same interface of my firewall to monitor all the traffic to a honeypot.
my firewall has 3 nics, one for the adsl modem, one for the lan (100) and one for the honeynet (100) 
the cpu is a 166MHz k6 and the amount of RAM is 32MB 

I have almost the default configuration (see below) and I use these two command lines:

/usr/local/bin/snort -c /usr/local/etc/snort/snort-hp.conf -A fast -i xl0 -D
/usr/local/bin/snort -dvi xl0 -D -b

if I do a full portsscan of the honeypot from a workstation within my lan, the fw crashes and reboots
the message displayed is:

panic: malloc: out of space in kmem_map

my questions are:

1- is it possible to have a dump of _all_ the traffic and not just logged packets PLUS "real time" alerts with a single 
snort process?
2- is my problem a known problem and if yes, what is the workaround if any?
3- is it a snort issue or an openbsd issue?

thanks

Jerome 


see my configuration file below:

var HOME_NET 10.0.1.0/24
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH ./rules
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
output log_tcpdump: snort-hp.log
include classification.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/local.rules




-- 
jethro () ebat org
gpg key - http://www.ebat.org/jethro.pub

Attachment: _bin
Description:

Current thread:

snort 1.8.6 crashing when running two instances on the same interface with Openbsd Jerome Magnin (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Erek Adams (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Chris Green (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Andreas Östling (Apr 16)