Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: memcap maxed out

From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Tue, 23 Sep 2014 09:27:07 +0000
I believe the default configuration picks up large amount of false positives that is why it is maxing out cpu.


I would recommend you install pulledpork and use a policy, balanced or security.


Then start customising rules from there


To install pulled pork on centos


http://www.rivy.org/2013/03/updating-snort-rules-using-pulled-pork/

yum install perl-Crypt-SSLeay perl-LWP-Protocol-https perl-Sys-Syslog perl-Archive-Tar
cd /usr/local/bin
wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
chmod 755 pulledpork.pl
mkdir /etc/pulledpork/
cd /etc/pulledpork
wget http://pulledpork.googlecode.com/svn/trunk/etc/pulledpork.conf

  *   configure file

to run pulled pork
pulledpork.pl -c /etc/pulledpork/pulledpork.conf -vv -P




From: Khanh Tran [mailto:ktran () ktran com]
Sent: 22 September 2014 20:06
To: snort-users () lists sourceforge net; Kurzawa, Kevin; Sharif Uddin
Subject: Re: [Snort-users] memcap maxed out


I sorta fixed the problem but honestly, I'm not sure if it's the right solution (Just don't know what the heck I'm 
doing. First time installing snort)

I did two things:

  1.  I had 4 ports spanned to snort's monitoring promiscuous interface. Snort's switch interface had tons of packet 
drops. Way too much traffic which I believe contribute to buffering overflow. Also, with tons of dropped packets snort 
is not able to see RX and TX in order to analyze traffic? (Don't know for sure but still researching. I don't know what 
info snort requires in order to analyze traffic. Does it require a complete established sessions before analyzing? For 
testing purposes, I removed stream5_tcp: 'requires_3whs' (3 way handshakes) but that didn't help). In any case, having 
one span port to snort alleviates helps a lot. Dropping tons of packets is never a good thing :)
  2.  I've also changed and added the following parameters (in red below) in /etc/snort/snort.conf. Max_queued_bytes 
and max_queued_segs seems to help a lot to remove these messages. My box has tons of memory so I figured 80MB and 40MB 
respectively should be ok.

# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
memcap 1073741824, \
max_tcp 1048576, \
max_udp 1048576, \
prune_log_max 1073741824, \
max_active_responses 4, \
min_response_seconds 6
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, max_queued_bytes 90485760, max_queued_segs 40485760, \



Regarding high CPU, it's Snorby for me. It hogs a lot of CPU.

Thanks



KT

====================


On September 22, 2014 at 12:32 PM Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa 
com>> wrote:
After the changes I made provided by khanh it has reduced the messages a lot, however I do still get a few of the 
following



Sep 20 20:07:11 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service 
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 20 20:07:11 snort systemd: Starting Network Manager Script Dispatcher Service...
Sep 20 20:07:11 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 20 20:07:11 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 20 20:07:11 snort systemd: Started Network Manager Script Dispatcher Service.
Sep 20 20:58:17 snort snort[4675]: S5: Pruned session from cache that was using 23197249 bytes (stale/timeout). 
172.16.10.1 57087 --> 172.16.0.12 49155 (0) : LWstate 0x1 LWFlags 0x412001
Sep 20 21:01:01 snort systemd: Starting Session 201 of user root.
Sep 20 21:01:01 snort systemd: Started Session 201 of user root.
Sep 20 21:03:58 snort snort[4675]: S5: Pruned session from cache that was using 4443620 bytes (stale/timeout). 
172.16.16.44 57483 --> 172.16.0.36 8080 (0) : LWstate 0x1 LWFlags 0x412001
Sep 20 21:59:46 snort snort[4675]: S5: Pruned session from cache that was using 6225120 bytes (stale/timeout). 
172.16.10.1 58760 --> 172.16.0.12 49155 (0) : LWstate 0x1 LWFlags 0x412001
Sep 20 22:01:01 snort systemd: Starting Session 202 of user root.
Sep 20 22:01:01 snort systemd: Started Session 202 of user root.
Sep 20 23:01:01 snort systemd: Starting Session 203 of user root.
Sep 20 23:01:01 snort systemd: Started Session 203 of user root.
Sep 20 23:07:07 snort snort[4675]: S5: Pruned session from cache that was using 24539548 bytes (stale/timeout). 
172.16.16.44 44858 --> 172.16.0.36 8080 (0) : LWstate 0x1 LWFlags 0x412001
Sep 21 00:01:01 snort systemd: Starting Session 204 of user root.
Sep 21 00:01:01 snort systemd: Started Session 204 of user root.
Sep 21 01:01:01 snort systemd: Starting Session 205 of user root.
Sep 21 01:01:01 snort systemd: Started Session 205 of user root.
Sep 21 01:31:54 snort dhclient[1910]: DHCPREQUEST on em1 to 172.16.0.11 port 67 (xid=0x3b0b675d)
Sep 21 01:31:54 snort NetworkManager: DHCPREQUEST on em1 to 172.16.0.11 port 67 (xid=0x3b0b675d)
Sep 21 01:31:54 snort dhclient[1910]: DHCPACK from 172.16.0.11 (xid=0x3b0b675d)
Sep 21 01:31:54 snort NetworkManager: DHCPACK from 172.16.0.11 (xid=0x3b0b675d)
Sep 21 01:31:54 snort dhclient[1910]: bound to 172.16.3.14 -- renewal in 17936 seconds.
Sep 21 01:31:54 snort NetworkManager[571]: <info> (em1): DHCPv4 state changed renew -> renew
Sep 21 01:31:54 snort NetworkManager[571]: <info>   address 172.16.3.14
Sep 21 01:31:54 snort NetworkManager[571]: <info>   plen 22 (255.255.252.0)
Sep 21 01:31:54 snort NetworkManager[571]: <info>   gateway 172.16.0.1
Sep 21 01:31:54 snort NetworkManager[571]: <info>   server identifier 172.16.0.11
Sep 21 01:31:54 snort NetworkManager[571]: <info>   lease time 43200
Sep 21 01:31:54 snort NetworkManager[571]: <info>   nameserver '172.16.0.11'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   nameserver '172.16.0.15'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain name 'uk.spectrumasa.com'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain search 'uk.spectrumasa.com.'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain search 'spectrumasa.com.'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain search 'usa.spectrumasa.com.'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain search 'houston.'
Sep 21 01:31:54 snort NetworkManager[571]: <info>   domain search 'cairo.'
Sep 21 01:31:54 snort dbus[580]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' 
unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 21 01:31:54 snort NetworkManager: bound to 172.16.3.14 -- renewal in 17936 seconds.
Sep 21 01:31:54 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service 
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 21 01:31:54 snort systemd: Starting Network Manager Script Dispatcher Service...
Sep 21 01:31:54 snort dbus-daemon: dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 21 01:31:54 snort dbus[580]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 21 01:31:54 snort systemd: Started Network Manager Script Dispatcher Service.
Sep 21 01:46:57 snort snort[4675]: S5: Pruned session from cache that was using 19672851 bytes (stale/timeout). 
172.16.10.1 59497 --> 172.16.0.12 49155 (0) : LWstate 0x1 LWFlags 0x412001
Sep 21 02:01:01 snort systemd: Starting Session 206 of user root.
Sep 21 02:01:01 snort systemd: Started Session 206 of user root.
Sep 21 02:01:28 snort snort[4675]: S5: Pruned session from cache that was using 1929768 bytes (stale/timeout). 
172.16.0.69 35346 --> 23.63.99.217 80 (0) : LWstate 0x1 LWFlags 0x12001
Sep 21 02:07:03 snort snort[4675]: S5: Pruned session from cache that was using 24514203 bytes (stale/timeout). 
172.16.16.44 44393 --> 172.16.0.36 8080 (0) : LWstate 0x1 LWFlags 0x412001
Sep 21 02:16:21 snort snort[4675]: S5: Pruned session from cache that was using 2926002 bytes (stale/timeout). 
172.16.10.1 60985 --> 172.16.0.12 49155 (0) : LWstate 0x1 LWFlags 0x412001
Sep 21 03:01:01 snort systemd: Starting Session 207 of user root.
Sep 21 03:01:01 snort systemd: Started Session 207 of user root.
Sep 21 03:24:37 snort snort[4675]: S5: Pruned session from cache that was using 22292355 bytes (stale/timeout). 
172.16.17.87 49284 --> 172.16.3.240 445 (0) : LWstate 0x1 LWFlags 0x412001



From: Kurzawa, Kevin [mailto:kkurzawa () co pinellas fl us]
Sent: 22 September 2014 17:04
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] memcap maxed out

Did you ever get a response or an answer to this? I used to get these non-stop. My CPU was being taxed by the process 
though, averaging 80% utilization. Memory was only about 3GB out of 8GB though. So I always thought this was very odd.

Turns out after I went from an old HP ProLiant DL360 to a newer, but still old Cisco server (I don’t have the model in 
front of me now), those messages disappeared. While the Cisco CPU is actually clocked slower, it only gets about 5% 
utilization. Go figure. I am told that it has to do with the CPU’s Streaming SIMD Extensions (SSE) set being older on 
the HP (SSE2, I think). The newer SSE of the cisco (SSE3, I think) handles the same traffic from that tap (~20Mbps), 
plus traffic from another tap (~50Mbps) without batting an eye.


From: Sharif Uddin [mailto:Sharif.Uddin () spectrumasa com]
Sent: Tuesday, September 16, 2014 10:50 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] memcap maxed out

Hello

I have set stream5 as follows

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   memcap 1073741824, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, max_queued_segs 0, max_queued_bytes 0, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \


however I still get the following in logs. Is this normal?




Sep 16 15:45:00 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 137 ssns remain.  memcap: 
1073734853/1073741824
Sep 16 15:45:00 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 132 ssns remain.  memcap: 
1073733155/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 156 ssns remain.  memcap: 
1073728713/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 151 ssns remain.  memcap: 
1073737880/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 147 ssns remain.  memcap: 
1073739465/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 143 ssns remain.  memcap: 
1073739742/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 138 ssns remain.  memcap: 
1073739597/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 133 ssns remain.  memcap: 
1073739179/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 128 ssns remain.  memcap: 
1073739614/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 123 ssns remain.  memcap: 
1073740666/1073741824
Sep 16 15:45:01 snort snort[1670]: S5: Pruned session from cache that was using 30689490 bytes (memcap/check). 
172.16.0.200 54138 --> 172.16.0.22 445 (0) : LWstate 0x40 LWFlags 0x422101
Sep 16 15:45:01 snort snort[1670]: S5: Pruned 5 sessions from cache for memcap. 118 ssns remain.  memcap: 
1043016415/1073741824



Sharif Uddin
Development/Support Engineer
-------------------
Spectrum Geo Ltd
Dukes Court, Duke Street
Woking, Surrey
GU21 5BH
UNITED KINGDOM
Tel: +44 (0) 1483 730201
Fax: +44 (0) 1483 762620

www.spectrumasa.com<http://www.spectrumasa.com/>


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or 
parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, 
copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify 
the sender immediately and delete the original message without making any copies. Copyright in this email and any 
attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses 
or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered 
office: 95 Aldwych, London WC2B 4JF.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: