Snort mailing list archives
Re: OpenPcap() (doc typo)
From: "Justin Heath" <justin.heath () gmail com>
Date: Wed, 21 Jun 2006 10:53:38 -0400
No problem. Thanks for the report on the typo. On 6/21/06, Gentoo-Wally <gentoowally () gmail com> wrote:
FYI this was exactly the problem. Just wanted to post to note that there is a typo in the 2.6.0 doc's in the config detection section... – ac-sparebands Aho-Corasick Sparse-Banded (small memory, high performance) Should probably be... – ac-sparSebands Aho-Corasick Sparse-Banded (small memory, high performance) Thx for the help, Wally On 6/20/06, Gentoo-Wally <gentoowally () gmail com> wrote: > That is probably exactly what I'm looking for. Thx for the reminder. > > Wally > > On 6/20/06, Justin Heath <justin.heath () gmail com> wrote: > > This was posted from Steve Sturges a little while back on snort-users: > > > > "As noted in the RELEASE.NOTES, there was a change in the > > default pattern matching engine from Wu-Manber to standard > > Aho-Corasick which is faster but consumes more memory. > > > > This effectively replaced an implicit config of > > > > config detection: search-method mwm > > > > with > > > > config detection: search-method ac > > > > The Aho-Corasick implementation in snort has a few different > > memory models, standard, full, banded, sparse, and sparse > > banded. The sparse and spare-banded ones consume much less > > memory... To use them, add a snort.conf line, as desired, > > for example. Wu-Manber is being deprecated in the next > > release. > > > > config detection: search-method ac-sparsebands > > > > There is also the lowmem method, which is slow, but uses > > very little memory." > > > > > > On 6/20/06, Gentoo-Wally <gentoowally () gmail com> wrote: > > > Thx. So do you think a jump from 25% usage in 2.4.5 to 90% usage in > > > 2.6.0 on a machine with 1Gb ram should be expected? > > > > > > On 6/20/06, Joel Esler <joel.esler () sourcefire com > wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > Snort 2.6 uses more memory than it's predecessors. The OpenPcap msg you > > > > saw is normal, it's just telling you that there is no IP assigned to the > > > > sniffing interface (eth0). Which, if you are using a promisc card > > > > interface with no IP, is exactly what you want... > > > > > > > > Joel > > > > > > > > Gentoo-Wally wrote: > > > > > I've started looking at snort 2.6.0 and have run into something > > strange. > > > > > > > > > > Compile info: > > > > > 1. gcc 4.1.1 > > > > > 2. ./configure --enable-dynamicplugin --enable-dependency-tracking > > > > > --with-libpcap-includes=/usr/include/ > > > > > --with-libpcap-libraries=/usr/lib/ > > > > > 3. Have tried libpcap 0.9.4 and the current version of phil woods > > libpcap > > > > > 4. Gentoo Linux box > > > > > 5. 'ifconfig eth0 up promisc' to bring the interface up > > > > > > > > > > No errors during ./configure && make && make install > > > > > > > > > > when I start snort it hangs for 15-30 seconds at... > > > > > > > > > > Initializing Network Interface eth0 > > > > > OpenPcap() device eth0 network lookup: > > > > > eth0: no IPv4 address assigned > > > > > Decoding Ethernet on interface eth0 > > > > > > > > > > > > > > > I'm starting it like this.. > > > > > > > > > > /usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c > > > > > /usr/local/etc/snort/snort.conf > > > > > > > > > > also tried... > > > > > > > > > > /usr/local/bin/snort -i eth0 -l /var/log/snort -c > > > > > /usr/local/etc/snort/snort.conf > > > > > > > > > > > > > > > At this point memory consumption sky rockets to 95% usage even with > > > > > all preprocessors except flow turned off. After about 30 seconds it > > > > > finishes initializing and appears to work correctly but at 95% memory > > > > > consumption and swap usage begins kicking in. > > > > > > > > > > I googled the OpenPcap message but found nothing that seems relevant > > > > > to my situation. > > > > > > > > > > I also have a snort 2.4.5 install on the same box. When it starts I do > > > > > not see the OpenPcap message and it works flawlessly at around 18-24% > > > > > mem usage with all preprocessors on. > > > > > > > > > > I also tried compiling 2.6.0 without the new dynamic preprocessors or > > > > > the dep tracking and I still get the openpcap message and crazy mem > > > > > usage. > > > > > > > > > > Any ideas? > > > > > > > > > > Wally > > > > > > > > > > > > > > > _______________________________________________ > > > > > Snort-users mailing list > > > > > Snort-users () lists sourceforge net > > > > > Go to this URL to change user options or unsubscribe: > > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > > > Snort-users list archive: > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > > > > > > - -- > > > > > > +---------------------------------------------------------------------+ > > > > Joel Esler Senior Security Consultant 1-706-627-2101 > > > > Sourcefire Security for the /Real/ World -- http://www.sourcefire.com > > > > Snort - Open Source Network IPS/IDS -- http://www.snort.org > > > > GPG Key http://demo.sourcefire.com/jesler.pgp.key > > > > > > +---------------------------------------------------------------------+ > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v1.4.3 (Darwin) > > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > > > > > > iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3 > > > > cxap2QpG64S7+k8Tr2UOvLQ= > > > > =xdKQ > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: OpenPcap() (doc typo) Gentoo-Wally (Jun 21)
- Re: OpenPcap() (doc typo) Justin Heath (Jun 21)