Snort mailing list archives

Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 15 Apr 2002 16:26:23 -0700 (PDT)

On Tue, 16 Apr 2002, Jerome Magnin wrote:

[Comments inline]

I m running two instances of snort on the same interface of my firewall to
monitor all the traffic to a honeypot. my firewall has 3 nics, one for the
adsl modem, one for the lan (100) and one for the honeynet (100)  the cpu is
a 166MHz k6 and the amount of RAM is 32MB

From your error, I think you're running out of memory.  Consider what the OBSD

kernel will use, then on top of that, add on what 2 instances of snort will
use.  With your 'default' configs, stream4 allocates 8mb per instance, leaving
only 16mb for the OS, Firewall, and rest of snort to use.

I have almost the default configuration (see below) and I use these two
command lines:

/usr/local/bin/snort -c /usr/local/etc/snort/snort-hp.conf -A fast -i xl0 -D
/usr/local/bin/snort -dvi xl0 -D -b


If you are using -b you do not need to ever use -v or -d.  You're telling it
to log each packet to STDOUT and decode the packets while logging to binary.
Binary logging logs the full packet for later readback and examination.  I'd
suggest changing that to "-i xl0 -D -b" instead.

if I do a full portsscan of the honeypot from a workstation within my lan, the fw crashes and reboots
the message displayed is:

panic: malloc: out of space in kmem_map

my questions are:

1- is it possible to have a dump of _all_ the traffic and not just logged
packets PLUS "real time" alerts with a single snort process?


Sure.  Add a "log any" rule to the .conf for the honeypot.  Better yet, go and
check out Lance Spitzers config for honeypots at:

  http://project.honeynet.org/papers/honeynet/snort.conf

2- is my problem a known problem and if yes, what is the workaround if any?


No, not known.  Seems to be your setup.

3- is it a snort issue or an openbsd issue?


I'm guessing it's hardware.  I'd guess there's just not enough memory left on
the box to keep track of all the streams of data coming in and reassemble them
all.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 1.8.6 crashing when running two instances on the same interface with Openbsd Jerome Magnin (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Erek Adams (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Chris Green (Apr 15)
- Re: snort 1.8.6 crashing when running two instances on the same interface with Openbsd Andreas Östling (Apr 16)