Re: Memory Issue?

[Phil Wood <cpw () lanl gov>]

On Tue, Nov 12, 2002 at 09:15:35AM -0500, Chris Green wrote:
> "Frank Reid" <fcreid () ourcorner org> writes:
>
> > I've been running snort on Mandrake 8.2 (2.4 kernel) for about 18
> > months, and it's been great.  I use the standard rule sets and log
> > alerts to a local MySQL database (3.23.53a).  Yesterday, I updated Snort
> > from CVS (2.0.0beta Build 33) and started seeing strange behavior.  This
> > may have been the first 2.0beta I pulled from CVS.  Anyway, as soon as I
> > trigger an alert against the network (something that Snort would
> > normally catch and log), I'm seeing this error:
> >
> >     kernel: __alloc_pages: 0-order allocation failed (gfp0x1d2/0)
>
> Are you out of memory?  2.0.0 uses a lot more memory on normal than
> other snorts.

Great!  I'm the one that uses memory with my pcap ring buffer, now you come
along and double it!  Good thing I got some (hardware memory, that is).
I'm only running:

  Version 2.0.0beta (Build 13)

30048 root      19   0  109M  43M  1016 R    50.1  1.1  80:22 snort
30047 root      17   0 78572  10M   988 R    33.6  0.2  59:54 snort
30044 root      14   0  111M  45M  1216 R    15.7  1.1  28:16 snort
30042 root       9   0  105M  39M  1024 S     4.1  1.0  14:54 snort

Still got a little left:

Mem:  3932296K av, 2778620K used, 1153676K free,       0K shrd,   37020K buff

Haven't started to drop packets today.  But, that is standard for one of
the sensors.  The bg and by sensors look at two different networks.  The 
mm sensor is geared to look for more critical stuff to/from the entire network
space.

Sensor bg is enabled, using PID 30042 ? S 15:07 /data/pw/bin/snort
Datafile:     12679778 Nov 12 10:16 /data/pw/log/green/bg20021112.0000
Datafile:          122 Nov 12 08:20 /data/pw/log/green/bg20021112.0000.alert
S: 10:16:43, 20232417 packets processed at 546.62 pps in 37013 seconds, with 0 drops.

Sensor by is enabled, using PID 30048 ? R 82:31 /data/pw/bin/snort
Datafile:     93680703 Nov 12 10:16 /data/pw/log/yellow/by20021112.0000
Datafile:       661108 Nov 12 10:16 /data/pw/log/yellow/by20021112.0000.alert
S: 10:16:43, 146836466 packets processed at 3967.09 pps in 37013 seconds, with 0 drops.

Sensor mm is enabled, using PID 30047 ? R 61:22 /data/pw/bin/snort
Datafile:       590609 Nov 12 10:16 /data/pw/log/serious/mm20021112.0000
Datafile:       734851 Nov 12 10:16 /data/pw/log/serious/mm20021112.0000.alert
S: 10:16:42, 174839527 packets processed at 4723.80 pps in 37012 seconds, with 0 drops.

Looks like I might need to tread carefully, if it's not a memory problem.

I'm going to upgrade to the latest and see if my memory requirements change
or I crash on the first alert.

PS: The fact that I run multiple sensors is why I pushed for the 'R' option.
My /var/run directory looks like this:

% ls /var/run/*eth*
/var/run/snort_eth2-bg.pid  /var/run/snort_eth2-mm.pid
/var/run/snort_eth2-by.pid  /var/run/tcpdump_eth2-xy.pid

> -- 
> Chris Green <cmg () sourcefire com>
> To err is human, to moo bovine.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users