Snort mailing list archives
snort 1.8.6 crashing when running two instances on the same interface with Openbsd
From: Jerome Magnin <jethro () ebat org>
Date: Tue, 16 Apr 2002 00:35:34 +0200
Hi, I am running snort 1.8.6 on openbsd 3.0 generic $ uname -a OpenBSD beast 3.0 GENERIC#94 i386 $ /usr/local/bin/snort -V -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) $ I m running two instances of snort on the same interface of my firewall to monitor all the traffic to a honeypot. my firewall has 3 nics, one for the adsl modem, one for the lan (100) and one for the honeynet (100) the cpu is a 166MHz k6 and the amount of RAM is 32MB I have almost the default configuration (see below) and I use these two command lines: /usr/local/bin/snort -c /usr/local/etc/snort/snort-hp.conf -A fast -i xl0 -D /usr/local/bin/snort -dvi xl0 -D -b if I do a full portsscan of the honeypot from a workstation within my lan, the fw crashes and reboots the message displayed is: panic: malloc: out of space in kmem_map my questions are: 1- is it possible to have a dump of _all_ the traffic and not just logged packets PLUS "real time" alerts with a single snort process? 2- is my problem a known problem and if yes, what is the workaround if any? 3- is it a snort issue or an openbsd issue? thanks Jerome see my configuration file below: var HOME_NET 10.0.1.0/24 var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH ./rules preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output log_tcpdump: snort-hp.log include classification.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/local.rules -- jethro () ebat org gpg key - http://www.ebat.org/jethro.pub
Attachment:
_bin
Description:
Current thread:
- snort 1.8.6 crashing when running two instances on the same interface with Openbsd Jerome Magnin (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Erek Adams (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Chris Green (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Andreas Östling (Apr 16)