Snort mailing list archives
Re: Question
From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Fri, 22 Jul 2011 10:30:28 -0500
Thanks. I always thought the more memory you allocate to snort the less the packet loss. 1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss. However the snort process just "disappears/stops after 24 hours" with no logs as to why. 2. When I start without the variables Snort is stable but I get an average of 25% packet loss. Again I have 12GB of memory on this R710. I can't image why its running out of memory. And the fact that its been running fine for a year is what's killing me. It has to be a rule causing this. 7/18/2011 9:33 AM : snort[7491]: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory! PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Thursday, July 21, 2011 11:11 AM To: Gibson, Nathan J. (HSC) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Question The packet loss is a separate tuning issue. That probably means things are working. Run Snort configured with just a few rules that hit often to test it and look at your packet loss then. If you are monitoring more than a few hundred MB/sec and you are running more than 1000 rules, I guarantee you will be dropping packets. On Thu, Jul 21, 2011 at 10:53 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:
I reboot weekly. No I don't get the errors when I remove the environment variables but I get tremendous packet loss. -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Monday, July 18, 2011 3:21 PM To: Gibson, Nathan J. (HSC) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Question And you get the same error trying to run snort when you leave the environment variables off? On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:Mem: 12462404k total, 470188k used, 11992216k free, 1056k It shows I have 12GB -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Monday, July 18, 2011 12:10 PM To: Gibson, Nathan J. (HSC) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Question That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory. Are you sure you're not low in RAM for the box? That might also be a product of using PCAP_MEMORY=6120. Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf settings control it). On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson () ouhsc edu> wrote:I have been running snort for over a year now. Nothing has changed in my configuration (except new rules). I have been running the same rule categories for a year. All of the sudden (about a month ago) snort started randomly stopping with no apparent errors in the logs. The only error I get is when I try to restart snort I get the following error. 7/18/2011 9:33 AM : snort[7491]: FATAL ERROR: Can't start DAQ (-1) - can't mmap rx ring: Cannot allocate memory! As I said the only variable I have are the actual rules that are updated from ET and Sourcefire. Could a rule be causing this? Here are the stats on my snort config: ,,_ -*> Snort! <*- o" )~ Version 2.9.0.5 IPv6 GRE (Build 135) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D top - 09:41:21 up 2 days, 24 min, 1 user, load average: 0.14, 0.24, 0.22 Tasks: 383 total, 1 running, 382 sleeping, 0 stopped, 0 zombie Cpu(s): 0.2%us, 0.1%sy, 0.0%ni, 99.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12462404k total, 470188k used, 11992216k free, 1056k buffers Swap: 1020116k total, 0k used, 1020116k free, 260968k cached -------------------------------------------------------------------- - - -------- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)
- Re: Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)
- Re: Question Gibson, Nathan J. (HSC) (Jul 21)
- Re: Question Martin Holste (Jul 21)
- Re: Question Gibson, Nathan J. (HSC) (Jul 22)
- Re: Question Martin Holste (Jul 22)
- Re: Question Gibson, Nathan J. (HSC) (Jul 25)
- Re: Question Martin Holste (Jul 25)
- Re: Question Will Metcalf (Jul 25)
- Re: Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)