Snort mailing list archives
snort >= 2.1.2 on OpenBSD -current and memory limits
From: Jon Hart <warchild () spoofed org>
Date: Tue, 27 Apr 2004 22:53:45 -0400
Hi, I've rambled about this problem on and off in #snort a few times. I'm running OpenBSD 3.5 -current, and I've tried both Snort 2.1.2 from ports and 2.1.2 and 2.1.3RC1 from source. My snort.conf is mostly default, the only exception being I'm using some of the rule files that are disabled by default. The problem is this: FATAL ERROR: No memory in mwmPrephashedPatternGroups() Try uncommenting the "config detection: search-method"in snort.conf I'd much rather not settle for a sub-optimal search method. This machine has 256M of RAM (plus 256M of swap), and does little else except some light firewall duties. Something somewhere is killing snort, because once is tries to malloc() more than 64M in total, further malloc()s fail. It just so happens that this particular malloc() is in sfutil/mwm.c. A week or more ago I thought I had it figured out. /etc/login.conf looked to be imposing memory limits on the group that my snort user was in, so I bumped it up higher. This worked for a bit until I updated my ruleset. As luck would have it, the additional rules again bumped me up over some memory limit, and once again the same malloc() is failing. Now regardless of how high I put the limits, the malloc still fails. I can verify this by running some simple C code that mallocs ~64M of memory. It'll fail. It will also fail if I run the same code as root, which makes me think that /etc/login.conf is no longer at fault. I recall earlier this week on the OpenBSD lists one of the developers talking about memory (stack?) limitations on the Sparc, and that they would never go over 8M. This makes me think that somewhere there is a memory limit I don't know about. So.... does anyone here use Snort on a truly current openbsd box? If so, what did you do to get it to work. Thanks, -jon ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 27)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 30)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (May 10)
- Re: snort >= 2.1.2 on OpenBSD -current and memory limits Jon Hart (Apr 30)