[Snort-devel] Snort: Unable to allocate memory.

Jason Williams jwilliam at ...921...
Wed Nov 7 20:49:02 EST 2001


Perhaps I was going in the wrong direction.   The machine has 92 meg of
real and 72 meg of swap.

--
Jason

On Wed, Nov 07, 2001 at 10:40:56PM -0500, Martin Roesch wrote:
> Ok, silly question I suppose, but how much memory does you system have? 
> The default memcap is 8 megs...
> 
>      -Marty
> 
> Jason Williams wrote:
> > 
> > Thanks for your fast reply.  Sorry about the length of this message, it
> > has a couple of different outputs.
> > 
> > Initially, I was using the default snort.conf:
> > preprocessor stream4: detect_scans
> > preprocessor stream4_reassemble
> > 
> > After your mail, I changed it to a few different options:
> > preprocessor stream4: detect_scans, memcap 4000000
> > preprocessor stream4: detect_scans, memcap 2000000
> > preprocessor stream4: detect_scans, memcap 500000
> > preprocessor stream4: detect_scans, memcap 50000
> > 
> > All caused similar errors, Unable to allocate memory! (2095 bytes in use)
> > 
> > I even tried
> > preprocessor stream4: noinspect, memcap 50000
> > with the same result.
> > 
> > Here is the most recent config with inspection:
> > --OUTPUT 1--
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 50000 bytes
> >     State alerts: INACTIVE
> >     Scan alerts: ACTIVE
> >     Log Flushed Streams: INACTIVE
> > No arguments to stream4_reassemble, setting defaults:
> >      Reassemble client: ACTIVE
> >      Reassemble server: INACTIVE
> >      Reassemble ports: 21 23 25 53 80 143 110 111 513
> >      Reassembly alerts: ACTIVE
> > Back Orifice detection brute force: DISABLED
> > Using LOCAL time
> > 882 Snort rules read...
> > 882 Option Chains linked into 92 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > 
> > Rule application order: ->activation->dynamic->alert->pass->log
> > 
> >         --== Initializing Snort ==--
> > 
> > Initializing Network Interface eth0
> > Decoding Ethernet on interface eth0
> > 
> >         --== Initialization Complete ==--
> > 
> > -*> Snort! <*-
> > Version 1.8.2 (Build 86)
> > By Martin Roesch (roesch at ...402..., www.snort.org)
> > --END OUTPUT 1--
> > 
> > I tried memcap 50000 with my debug-enabled version, also build 86.
> > 
> > --OUTPUT 2--
> > tcp header starts at: 0x120819fd4
> > spp_stream4.c:2331: Trying to get session...
> > spp_stream4.c:2337: Looking for sip: 0xB80DB40 sp: 40615  cip: 0x6B9753D1
> > cp: 110 flags: ***AP***
> > spp_stream4.c:2345: GetSession forward didn't work, trying backwards...
> > spp_stream4.c:2351: Looking for sip: 0x6B9753D1 sp: 110  cip: 0xB80DB40
> > cp: 40615 flags: ***AP***
> > spp_stream4.c:2363: Found session
> > spp_stream4.c:1018: client packet: ***AP***
> > spp_stream4.c:1604: Server state: ESTABLISHED
> > spp_stream4.c:2490: Storing client packet (-1 bytes)
> > spp_stream4.c:2554: [A] Allocating 88 bytes for StreamPacketData
> > spp_stream4.c:2577: [A] Allocating -1 bytes for packet
> > Unable to allocate memory! (2095 bytes in use)
> > Fatal Error, Quitting..
> > --END OUTPUT 2--
> > 
> > --
> > Jason Williams
> > 
> > On Wed, Nov 07, 2001 at 09:36:00AM -0500, Martin Roesch wrote:
> > > Did you add a 'memcap' argument to your stream4 preprocessor directive
> > > in the snort.conf?  How are the stream4 and stream4_reassemble plugins
> > > configured?
> > >
> > >      -Marty
> > >
> > > Jason Williams wrote:
> > > >
> > > > This was the daily cvs build from November 5th.   The same problems were
> > > > experienced with 1.8.2 build 86 and 1.8.1-RELEASE.
> > > >
> > > > Redhat 6.2, Linux 2.2.14-6.0, on an Alpha.
> > > > Using all the rules that came with the default snort.conf.
> > > > Tried snort -Afull, snort -Afast
> > > > Error Messages:
> > > >
> > > > Pattern match failed
> > > >    => Checking Option Node 859
> > > > CheckIpOptions:   => Checking Option Node 860
> > > > CheckIpOptions:   => Checking Option Node 861
> > > > CheckIpOptions:   => Checking Option Node 876
> > > >            <!!> CheckFragBits: [rule: 0x20:0   pkt: 0x40] Normal test
> > > > failed
> > > > No match, continuing...
> > > > [*] Evaluating rule list: pass
> > > > [*] Evaluating rule list: log
> > > > Packet!
> > > > caplen: 4294967295    pktlen: 4294967295
> > > > 0   8
> > > > IP datagram size calculated to be 4294967281 bytes
> > > > ip header starts at: 0x120819f40, length is 4294967281
> > > > IP Checksum: OK
> > > > IP header length: 20
> > > > TCP th_off is 5, passed len is 26
> > > > TCP Checksum: OK
> > > > tcp header starts at: 0x120819f54
> > > > Unable to allocate memory! (2719 bytes in use)
> > > > Fatal Error, Quitting..
> > > >
> > > > The memory amount is not constant.  When not in debug mode, the error is:
> > > > FATAL ERROR: Unable to allocate memory! (1887 bytes in use)
> > > >
> > > > I believe it is part of stream4, which is why I tried the daily cvs
> > > > snapshot after I read about there being some problems with unset
> > > > variables.
> > > >
> > > > This was built with  ./configure
> > > > --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
> > > >
> > > > The only change made to snort.conf was var HOME_NET.
> > > >
> > > > I also ran a copy without --enable-debug, and with libpcap-0.4, to the
> > > > same end.  I have had snort run on this machine before, but it was several
> > > > versions ago.
> > > >
> > > > --
> > > > Jason Williams
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> > > --
> > > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > > roesch at ...402... - http://www.sourcefire.com
> > > Snort: Open Source Network IDS - http://www.snort.org
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...402... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list