Snort mailing list archives
Re: Snort 2.6.0.2 (Build 85) - pfault
From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 20 Oct 2006 14:57:18 -0400
True, but much slower. Read: http://www.snort.org/docs/faq/3Q06/node86.html Joel Chris U wrote:
Hi Snort Users, I just wanted to say thanks for helping me out... It has come to my attention that Snort 2.6 consumes a vast amount of memory. [when compared to previous releases, 2.4.x] My solution was to uncomment "config detection: search-method lowmem" Snort *now* runs smoothly, consuming between 40-60 mb of ram. Thanks again, Chris On 10/19/06, rmkml <rmkml () free fr> wrote:Hi Chris, snort26 use more memory and maybe freebsd vm killed snort process ... what is on your log (syslog) ? how memory you have ? Regards Rmkml On Thu, 19 Oct 2006, Chris U wrote:Date: Thu, 19 Oct 2006 16:50:00 -1000 From: Chris U <chris.uyehara () gmail com> To: Snort-users () lists sourceforge net Subject: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault Hi Snort Users, I'm in need of some help... I am using FreeBSD 5.5 [Generic Kernel]. I installed Snort via ports. When I run snort with the following command line: "snort -i sis0 -v -c snort.conf -l ./logs" Snort trys to startup... what really happens... snort begins to consume RAM, once RAM has been fully consumed it consumes SWAP. Once SWAP is full, Snort will die and pfault - or so says top. I have included a snippet of output from top and snort. A nicely printed version is available at http://tinyurl.com/yxdekg Any help would be greatly appreciated! Mahalo, Chris ~~~~~~~~~~~~~ BEGIN top snippet ~~~~~~~~~~~~~ PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 471 root 124 0 194M 193M RUN 0:38 93.03% 80.47% snort 440 root 96 0 2260K 1092K RUN 0:06 1.76% 1.76% top ~~~~~~~~~~~~~ END top snippet ~~~~~~~~~~~~~ ~~~~~~~~~~~~~ BEGIN snort snippet ~~~~~~~~~~~~~ [root@kalua /usr/local/etc/snort]# snort -i sis0 -v -c snort.conf -l ./logs Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! ------------------------------------------------- Keyword | Preprocessor @ ------------------------------------------------- rpc_decode : 0x808ee34 bo : 0x808e190 telnet_decode: 0x809bbc8 stream4 : 0x8090820 stream4_reassemble: 0x8091e2c stream4_external: 0x80918ec frag2 : 0x80a8134 arpspoof : 0x808d798 arpspoof_detect_host: 0x808d8c0 http_inspect : 0x80a1b70 http_inspect_server: 0x80a1b70 PerfMonitor : 0x809c250 flow : 0x80a4e84 flow-portscan: 0x80b27fc sfportscan : 0x80a7370 frag3_global : 0x80aa608 frag3_engine : 0x80aa714 ------------------------------------------------- ------------------------------------------------- Keyword | Plugin Registered @ ------------------------------------------------- content : 0x8080ae0 content-list : 0x8080a18 offset : 0x8080c30 depth : 0x8080d7c nocase : 0x8080edc rawbytes : 0x8080fd0 regex : 0x80812c4 uricontent : 0x8080b88 distance : 0x8081024 within : 0x8081174 replace : 0x807f160 flags : 0x8085544 itype : 0x807d340 icode : 0x807c928 ttl : 0x8086154 id : 0x807e140 ack : 0x8085370 seq : 0x8085c8c dsize : 0x807c2d0 ipopts : 0x807eb50 rpc : 0x80844a8 icmp_id : 0x807ce10 icmp_seq : 0x807d0a8 session : 0x8084bdc tos : 0x807e878 fragbits : 0x807d824 fragoffset : 0x807ddd8 window : 0x8085e3c ip_proto : 0x807e380 sameip : 0x807e6fc flow : 0x8086704 byte_test : 0x8086f24 byte_jump : 0x8087964 isdataat : 0x8088ec4 pcre : 0x8088390 flowbits : 0x80898d0 asn1 : 0x808a604 react : 0x8082b20 resp : 0x8083a60 ftpbounce : 0x808acb0 urilen : 0x808b1c8 ------------------------------------------------- ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x807449c log_tcpdump : 0x8079254 database : 0x807647c alert_fast : 0x80738c0 alert_full : 0x8073f30 alert_unixsock: 0x8074f5c alert_CSV : 0x807546c log_null : 0x8079184 log_unified : 0x807af98 alert_unified: 0x807acec unified : 0x8079974 log_ascii : 0x807b83c ------------------------------------------------- Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any Var 'DNS_SERVERS' defined, value len = 3 chars, value = any Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any Var 'SQL_SERVERS' defined, value len = 3 chars, value = any Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'AIM_SERVERS' defined, value len = 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len = 7 chars, value = ./rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Bound Addresses: 0.0.0.0/0.0.0.0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 WARNING snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: ./unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 5462 Snort rules read... 5462 Option Chains linked into 210 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->pass->drop->alert->log Log directory = ./logs Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but not ever checked. Initializing Network Interface sis0 Var 'sis0_ADDRESS' defined, value len = 25 chars, value = 10.100.10.0/255.255.255.0 Decoding Ethernet on interface sis0 Killed [root@kalua /usr/local/etc/snort]# ~~~~~~~~~~~~~ END snort snippet ~~~~~~~~~~~~~ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- +---------------------------------------------------------------------+ Joel Esler Senior Security Consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org GPG Key http://demo.sourcefire.com/jesler.pgp.key AIM: eslerjoel Gtalk: eslerj Yahoo: eslerjoel +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6.0.2 (Build 85) - pfault Chris U (Oct 19)
- Message not available
- Re: Snort 2.6.0.2 (Build 85) - pfault Chris U (Oct 20)
- Re: Snort 2.6.0.2 (Build 85) - pfault Joel Esler (Oct 20)
- Re: Snort 2.6.0.2 (Build 85) - pfault Chris U (Oct 20)
- Message not available