Snort mailing list archives

Re: Lowmem issue

From: Y M <snort () outlook com>
Date: Mon, 6 Feb 2017 17:48:21 +0000

Admittedly, I haven't seen this one before. But, are you running the native daq or some other layer, like pf_ring daq? 
I have seen similar messages when Snort is already running (with pf_ring) and starting new instances of Snort could 
lead to similar messages because daq is already "allocated/occupied". I could be totally off here.

YM


________________________________
From: James Lay <jlay () slave-tothe-box net>
Sent: Monday, February 6, 2017 6:51:53 PM
To: Snort
Subject: [Snort-users] Lowmem issue

Been seeing these as of late:

Feb  6 15:05:46 snort[21636]: FATAL ERROR: Can't start DAQ (-1) - eth0:
Couldn't allocate enough memory for the kernel packet ring!!

free -lm:

              total       used       free     shared    buffers
cached
Mem:         12012      11281        730       1207         38
5599
Low:         12012      11281        730
High:            0          0          0
-/+ buffers/cache:       5642       6369
Swap:         5235       1192       4043


Not sure where to check...memorywise I'm running with:

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len
20
config event_queue: max_queue 8 log 3 order_events content_length
config paf_max: 16000

Any thoughts would be awesome...thank you.

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Lowmem issue James Lay (Feb 06)
- Re: Lowmem issue Y M (Feb 06)
  - Re: Lowmem issue James Lay (Feb 06)
- Re: Lowmem issue James Lay (Feb 13)
  - Re: Lowmem issue Michael Altizer (Feb 14)
    - Re: Lowmem issue James Lay (Feb 14)