[Snort-devel] Snort: Unable to allocate memory.

Martin Roesch roesch at ...402...
Wed Nov 7 19:42:12 EST 2001


Ok, silly question I suppose, but how much memory does you system have? 
The default memcap is 8 megs...

     -Marty

Jason Williams wrote:
> 
> Thanks for your fast reply.  Sorry about the length of this message, it
> has a couple of different outputs.
> 
> Initially, I was using the default snort.conf:
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> 
> After your mail, I changed it to a few different options:
> preprocessor stream4: detect_scans, memcap 4000000
> preprocessor stream4: detect_scans, memcap 2000000
> preprocessor stream4: detect_scans, memcap 500000
> preprocessor stream4: detect_scans, memcap 50000
> 
> All caused similar errors, Unable to allocate memory! (2095 bytes in use)
> 
> I even tried
> preprocessor stream4: noinspect, memcap 50000
> with the same result.
> 
> Here is the most recent config with inspection:
> --OUTPUT 1--
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 50000 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> 882 Snort rules read...
> 882 Option Chains linked into 92 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initializing Snort ==--
> 
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.8.2 (Build 86)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> --END OUTPUT 1--
> 
> I tried memcap 50000 with my debug-enabled version, also build 86.
> 
> --OUTPUT 2--
> tcp header starts at: 0x120819fd4
> spp_stream4.c:2331: Trying to get session...
> spp_stream4.c:2337: Looking for sip: 0xB80DB40 sp: 40615  cip: 0x6B9753D1
> cp: 110 flags: ***AP***
> spp_stream4.c:2345: GetSession forward didn't work, trying backwards...
> spp_stream4.c:2351: Looking for sip: 0x6B9753D1 sp: 110  cip: 0xB80DB40
> cp: 40615 flags: ***AP***
> spp_stream4.c:2363: Found session
> spp_stream4.c:1018: client packet: ***AP***
> spp_stream4.c:1604: Server state: ESTABLISHED
> spp_stream4.c:2490: Storing client packet (-1 bytes)
> spp_stream4.c:2554: [A] Allocating 88 bytes for StreamPacketData
> spp_stream4.c:2577: [A] Allocating -1 bytes for packet
> Unable to allocate memory! (2095 bytes in use)
> Fatal Error, Quitting..
> --END OUTPUT 2--
> 
> --
> Jason Williams
> 
> On Wed, Nov 07, 2001 at 09:36:00AM -0500, Martin Roesch wrote:
> > Did you add a 'memcap' argument to your stream4 preprocessor directive
> > in the snort.conf?  How are the stream4 and stream4_reassemble plugins
> > configured?
> >
> >      -Marty
> >
> > Jason Williams wrote:
> > >
> > > This was the daily cvs build from November 5th.   The same problems were
> > > experienced with 1.8.2 build 86 and 1.8.1-RELEASE.
> > >
> > > Redhat 6.2, Linux 2.2.14-6.0, on an Alpha.
> > > Using all the rules that came with the default snort.conf.
> > > Tried snort -Afull, snort -Afast
> > > Error Messages:
> > >
> > > Pattern match failed
> > >    => Checking Option Node 859
> > > CheckIpOptions:   => Checking Option Node 860
> > > CheckIpOptions:   => Checking Option Node 861
> > > CheckIpOptions:   => Checking Option Node 876
> > >            <!!> CheckFragBits: [rule: 0x20:0   pkt: 0x40] Normal test
> > > failed
> > > No match, continuing...
> > > [*] Evaluating rule list: pass
> > > [*] Evaluating rule list: log
> > > Packet!
> > > caplen: 4294967295    pktlen: 4294967295
> > > 0   8
> > > IP datagram size calculated to be 4294967281 bytes
> > > ip header starts at: 0x120819f40, length is 4294967281
> > > IP Checksum: OK
> > > IP header length: 20
> > > TCP th_off is 5, passed len is 26
> > > TCP Checksum: OK
> > > tcp header starts at: 0x120819f54
> > > Unable to allocate memory! (2719 bytes in use)
> > > Fatal Error, Quitting..
> > >
> > > The memory amount is not constant.  When not in debug mode, the error is:
> > > FATAL ERROR: Unable to allocate memory! (1887 bytes in use)
> > >
> > > I believe it is part of stream4, which is why I tried the daily cvs
> > > snapshot after I read about there being some problems with unset
> > > variables.
> > >
> > > This was built with  ./configure
> > > --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
> > >
> > > The only change made to snort.conf was var HOME_NET.
> > >
> > > I also ran a copy without --enable-debug, and with libpcap-0.4, to the
> > > same end.  I have had snort run on this machine before, but it was several
> > > versions ago.
> > >
> > > --
> > > Jason Williams
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch at ...402... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list