Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question

From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Fri, 22 Jul 2011 10:30:28 -0500
Thanks. I always thought the more memory you allocate to snort the less the packet loss.  

1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss.  However 
the snort process just "disappears/stops after 24 hours" with no logs as to why. 
2. When I start without the variables Snort is stable but I get an average of 25% packet loss. 

Again I have 12GB of memory on this R710. I can't image why its running out of memory.  And the fact that its been 
running fine for a year is what's killing me. It has to be a rule causing this. 

7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory!

PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D



-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Thursday, July 21, 2011 11:11 AM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

The packet loss is a separate tuning issue.  That probably means things are working.  Run Snort configured with just a 
few rules that hit often to test it and look at your packet loss then.  If you are monitoring more than a few hundred 
MB/sec and you are running more than 1000 rules, I guarantee you will be dropping packets.

On Thu, Jul 21, 2011 at 10:53 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:

I reboot weekly.  No I don't get the errors when I remove the environment variables but I get tremendous packet loss.

-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com]
Sent: Monday, July 18, 2011 3:21 PM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

And you get the same error trying to run snort when you leave the environment variables off?

On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:

Mem:  12462404k total,   470188k used, 11992216k free,     1056k


It shows I have 12GB
-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com]
Sent: Monday, July 18, 2011 12:10 PM
To: Gibson, Nathan J. (HSC)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question

That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory.  Are you sure 
you're not low in RAM for the box?  That might also be a product of using PCAP_MEMORY=6120.
Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf 
settings control it).

On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:

I have been running snort for over a year now. Nothing has changed 
in my configuration (except new rules). I have been running the same 
rule categories for a year. All of the sudden (about a month ago) 
snort started randomly stopping with no apparent errors in the logs.
The only error I get is when I try to restart snort I get the following error.



7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1)
- can't mmap rx ring: Cannot allocate memory!





As I said the only variable I have are the actual rules that are 
updated from ET and Sourcefire. Could a rule be causing this?



Here are the stats on my snort config:





   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2011 Sourcefire, Inc., et al.

           Using libpcap version 1.1.1

           Using PCRE version: 6.6 06-Feb-2006

           Using ZLIB version: 1.2.3





PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c 
/etc/snort/snort.conf -i eth1 -D





top - 09:41:21 up 2 days, 24 min,  1 user,  load average: 0.14, 
0.24,
0.22

Tasks: 383 total,   1 running, 382 sleeping,   0 stopped,   0 zombie

Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.6%id,  0.0%wa,  0.0%hi, 
0.0%si, 0.0%st

Mem:  12462404k total,   470188k used, 11992216k free,     1056k 
buffers

Swap:  1020116k total,        0k used,  1020116k free,   260968k 
cached

--------------------------------------------------------------------
-
-
-------- AppSumo Presents a FREE Video for the SourceForge Community 
by Eric Ries, the creator of the Lean Startup Methodology on "Lean 
Startup Secrets Revealed." This video shows you how to validate your 
ideas, optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation







------------------------------------------------------------------------------
10 Tips for Better Web Security
Learn 10 ways to better secure your business today. Topics covered include:
Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
security Microsoft Exchange, secure Instant Messaging, and much more.
http://www.accelacomm.com/jaw/sfnl/114/51426210/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: