[Snort-devel] Snort: Unable to allocate memory.
jwilliam at ...921...
Wed Nov 7 18:42:02 EST 2001
Thanks for your fast reply. Sorry about the length of this message, it
has a couple of different outputs.
Initially, I was using the default snort.conf:
preprocessor stream4: detect_scans
After your mail, I changed it to a few different options:
preprocessor stream4: detect_scans, memcap 4000000
preprocessor stream4: detect_scans, memcap 2000000
preprocessor stream4: detect_scans, memcap 500000
preprocessor stream4: detect_scans, memcap 50000
All caused similar errors, Unable to allocate memory! (2095 bytes in use)
I even tried
preprocessor stream4: noinspect, memcap 50000
with the same result.
Here is the most recent config with inspection:
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 50000 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
882 Snort rules read...
882 Option Chains linked into 92 Chain Headers
0 Dynamic rules
Rule application order: ->activation->dynamic->alert->pass->log
--== Initializing Snort ==--
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.2 (Build 86)
By Martin Roesch (roesch at ...402..., www.snort.org)
--END OUTPUT 1--
I tried memcap 50000 with my debug-enabled version, also build 86.
tcp header starts at: 0x120819fd4
spp_stream4.c:2331: Trying to get session...
spp_stream4.c:2337: Looking for sip: 0xB80DB40 sp: 40615 cip: 0x6B9753D1
cp: 110 flags: ***AP***
spp_stream4.c:2345: GetSession forward didn't work, trying backwards...
spp_stream4.c:2351: Looking for sip: 0x6B9753D1 sp: 110 cip: 0xB80DB40
cp: 40615 flags: ***AP***
spp_stream4.c:2363: Found session
spp_stream4.c:1018: client packet: ***AP***
spp_stream4.c:1604: Server state: ESTABLISHED
spp_stream4.c:2490: Storing client packet (-1 bytes)
spp_stream4.c:2554: [A] Allocating 88 bytes for StreamPacketData
spp_stream4.c:2577: [A] Allocating -1 bytes for packet
Unable to allocate memory! (2095 bytes in use)
Fatal Error, Quitting..
--END OUTPUT 2--
On Wed, Nov 07, 2001 at 09:36:00AM -0500, Martin Roesch wrote:
> Did you add a 'memcap' argument to your stream4 preprocessor directive
> in the snort.conf? How are the stream4 and stream4_reassemble plugins
> Jason Williams wrote:
> > This was the daily cvs build from November 5th. The same problems were
> > experienced with 1.8.2 build 86 and 1.8.1-RELEASE.
> > Redhat 6.2, Linux 2.2.14-6.0, on an Alpha.
> > Using all the rules that came with the default snort.conf.
> > Tried snort -Afull, snort -Afast
> > Error Messages:
> > Pattern match failed
> > => Checking Option Node 859
> > CheckIpOptions: => Checking Option Node 860
> > CheckIpOptions: => Checking Option Node 861
> > CheckIpOptions: => Checking Option Node 876
> > <!!> CheckFragBits: [rule: 0x20:0 pkt: 0x40] Normal test
> > failed
> > No match, continuing...
> > [*] Evaluating rule list: pass
> > [*] Evaluating rule list: log
> > Packet!
> > caplen: 4294967295 pktlen: 4294967295
> > 0 8
> > IP datagram size calculated to be 4294967281 bytes
> > ip header starts at: 0x120819f40, length is 4294967281
> > IP Checksum: OK
> > IP header length: 20
> > TCP th_off is 5, passed len is 26
> > TCP Checksum: OK
> > tcp header starts at: 0x120819f54
> > Unable to allocate memory! (2719 bytes in use)
> > Fatal Error, Quitting..
> > The memory amount is not constant. When not in debug mode, the error is:
> > FATAL ERROR: Unable to allocate memory! (1887 bytes in use)
> > I believe it is part of stream4, which is why I tried the daily cvs
> > snapshot after I read about there being some problems with unset
> > variables.
> > This was built with ./configure
> > --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
> > The only change made to snort.conf was var HOME_NET.
> > I also ran a copy without --enable-debug, and with libpcap-0.4, to the
> > same end. I have had snort run on this machine before, but it was several
> > versions ago.
> > --
> > Jason Williams
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel