Snort mailing list archives
Re: Question
From: Martin Holste <mcholste () gmail com>
Date: Sat, 23 Jul 2011 00:18:53 -0500
Ring buffer memory is only a buffer, and a buffer will eventually fail if the CPU cannot keep up the traffic. No matter how large the buffer, eventually it will run out because it's in a losing game. A large buffer just buys you a few seconds before the packet loss. One thing a lot of RAM will get you is the ability to run ac for your pattern matching engine instead of ac-split. That will increase performance and might let your CPU keep up.
1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss. However the snort process just "disappears/stops after 24 hours" with no logs as to why.
Sounds like a cron job is killing it.
2. When I start without the variables Snort is stable but I get an average of 25% packet loss.
As I understand it, PF_RING won't use those variables anyway. To get a look, cat /proc/net/pf_ring/<file for snort pid> which should give you the best numbers.
Again I have 12GB of memory on this R710. I can't image why its running out of memory. And the fact that its been running fine for a year is what's killing me. It has to be a rule causing this. 7/18/2011 9:33 AM : snort[7491]: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory! PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D
I don't think it's actually running out of memory or can't allocate it, I think it's a different problem. What are your daq config variables? ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)
- Re: Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)
- Re: Question Gibson, Nathan J. (HSC) (Jul 21)
- Re: Question Martin Holste (Jul 21)
- Re: Question Gibson, Nathan J. (HSC) (Jul 22)
- Re: Question Martin Holste (Jul 22)
- Re: Question Gibson, Nathan J. (HSC) (Jul 25)
- Re: Question Martin Holste (Jul 25)
- Re: Question Will Metcalf (Jul 25)
- Re: Question Gibson, Nathan J. (HSC) (Jul 18)
- Re: Question Martin Holste (Jul 18)