[Snort-devel] Snort: Unable to allocate memory.

Jason Williams jwilliam at ...921...
Wed Nov 7 18:42:02 EST 2001


Thanks for your fast reply.  Sorry about the length of this message, it
has a couple of different outputs.  

Initially, I was using the default snort.conf:
preprocessor stream4: detect_scans
preprocessor stream4_reassemble

After your mail, I changed it to a few different options:
preprocessor stream4: detect_scans, memcap 4000000
preprocessor stream4: detect_scans, memcap 2000000
preprocessor stream4: detect_scans, memcap 500000
preprocessor stream4: detect_scans, memcap 50000 

All caused similar errors, Unable to allocate memory! (2095 bytes in use)

I even tried 
preprocessor stream4: noinspect, memcap 50000
with the same result.

Here is the most recent config with inspection: 
--OUTPUT 1--
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 50000 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
882 Snort rules read...
882 Option Chains linked into 92 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initializing Snort ==--

Initializing Network Interface eth0
Decoding Ethernet on interface eth0

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.2 (Build 86)
By Martin Roesch (roesch at ...402..., www.snort.org)
--END OUTPUT 1--

I tried memcap 50000 with my debug-enabled version, also build 86.

--OUTPUT 2--
tcp header starts at: 0x120819fd4
spp_stream4.c:2331: Trying to get session...
spp_stream4.c:2337: Looking for sip: 0xB80DB40 sp: 40615  cip: 0x6B9753D1
cp: 110 flags: ***AP***
spp_stream4.c:2345: GetSession forward didn't work, trying backwards...
spp_stream4.c:2351: Looking for sip: 0x6B9753D1 sp: 110  cip: 0xB80DB40
cp: 40615 flags: ***AP***
spp_stream4.c:2363: Found session
spp_stream4.c:1018: client packet: ***AP***
spp_stream4.c:1604: Server state: ESTABLISHED
spp_stream4.c:2490: Storing client packet (-1 bytes)
spp_stream4.c:2554: [A] Allocating 88 bytes for StreamPacketData
spp_stream4.c:2577: [A] Allocating -1 bytes for packet
Unable to allocate memory! (2095 bytes in use)
Fatal Error, Quitting..
--END OUTPUT 2--

--
Jason Williams


On Wed, Nov 07, 2001 at 09:36:00AM -0500, Martin Roesch wrote:
> Did you add a 'memcap' argument to your stream4 preprocessor directive
> in the snort.conf?  How are the stream4 and stream4_reassemble plugins
> configured?
> 
>      -Marty
> 
> Jason Williams wrote:
> > 
> > This was the daily cvs build from November 5th.   The same problems were
> > experienced with 1.8.2 build 86 and 1.8.1-RELEASE.
> > 
> > Redhat 6.2, Linux 2.2.14-6.0, on an Alpha.
> > Using all the rules that came with the default snort.conf.
> > Tried snort -Afull, snort -Afast
> > Error Messages:
> > 
> > Pattern match failed
> >    => Checking Option Node 859
> > CheckIpOptions:   => Checking Option Node 860
> > CheckIpOptions:   => Checking Option Node 861
> > CheckIpOptions:   => Checking Option Node 876
> >            <!!> CheckFragBits: [rule: 0x20:0   pkt: 0x40] Normal test
> > failed
> > No match, continuing...
> > [*] Evaluating rule list: pass
> > [*] Evaluating rule list: log
> > Packet!
> > caplen: 4294967295    pktlen: 4294967295
> > 0   8
> > IP datagram size calculated to be 4294967281 bytes
> > ip header starts at: 0x120819f40, length is 4294967281
> > IP Checksum: OK
> > IP header length: 20
> > TCP th_off is 5, passed len is 26
> > TCP Checksum: OK
> > tcp header starts at: 0x120819f54
> > Unable to allocate memory! (2719 bytes in use)
> > Fatal Error, Quitting..
> > 
> > The memory amount is not constant.  When not in debug mode, the error is:
> > FATAL ERROR: Unable to allocate memory! (1887 bytes in use)
> > 
> > I believe it is part of stream4, which is why I tried the daily cvs
> > snapshot after I read about there being some problems with unset
> > variables.
> > 
> > This was built with  ./configure
> > --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
> > 
> > The only change made to snort.conf was var HOME_NET.
> > 
> > I also ran a copy without --enable-debug, and with libpcap-0.4, to the
> > same end.  I have had snort run on this machine before, but it was several
> > versions ago.
> > 
> > --
> > Jason Williams
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...402... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list