Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question

From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Thu, 21 Jul 2011 10:53:48 -0500
I reboot weekly.  No I don't get the errors when I remove the environment variables but I get tremendous packet loss. 

-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Monday, July 18, 2011 3:21 PM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

And you get the same error trying to run snort when you leave the environment variables off?

On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:

Mem:  12462404k total,   470188k used, 11992216k free,     1056k


It shows I have 12GB
-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com]
Sent: Monday, July 18, 2011 12:10 PM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory.  Are you sure you're 
not low in RAM for the box?  That might also be a product of using PCAP_MEMORY=6120.
Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf 
settings control it).

On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:

I have been running snort for over a year now. Nothing has changed in 
my configuration (except new rules). I have been running the same 
rule categories for a year. All of the sudden (about a month ago) 
snort started randomly stopping with no apparent errors in the logs. 
The only error I get is when I try to restart snort I get the following error.



7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1) 
- can't mmap rx ring: Cannot allocate memory!





As I said the only variable I have are the actual rules that are 
updated from ET and Sourcefire. Could a rule be causing this?



Here are the stats on my snort config:





   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2011 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 6.6 06-Feb-2006

           Using ZLIB version: 1.2.3





PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c 
/etc/snort/snort.conf -i eth1 -D





top - 09:41:21 up 2 days, 24 min,  1 user,  load average: 0.14, 0.24,
0.22

Tasks: 383 total,   1 running, 382 sleeping,   0 stopped,   0 zombie

Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.6%id,  0.0%wa,  0.0%hi,  
0.0%si, 0.0%st

Mem:  12462404k total,   470188k used, 11992216k free,     1056k 
buffers

Swap:  1020116k total,        0k used,  1020116k free,   260968k 
cached

---------------------------------------------------------------------
-
-------- AppSumo Presents a FREE Video for the SourceForge Community 
by Eric Ries, the creator of the Lean Startup Methodology on "Lean 
Startup Secrets Revealed." This video shows you how to validate your 
ideas, optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation





------------------------------------------------------------------------------
5 Ways to Improve & Secure Unified Communications
Unified Communications promises greater efficiencies for business. UC can 
improve internal communications as well as offer faster, more efficient ways
to interact with customers and streamline customer service. Learn more!
http://www.accelacomm.com/jaw/sfnl/114/51426253/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: