[Snort-devel] Snort: Unable to allocate memory.

Jason Williams jwilliam at ...921...
Mon Nov 26 21:46:03 EST 2001


No luck, I'm afraid.

I tried the brand new snort-daily for today, November 26, in both regular
mode and debug mode.  The only thing I changed in snort.conf was my
HOME_NET.

./configure  --with-libpcap-includes=/usr/local/src/libpcap-0.6.2
./configure  --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
 
Version 1.8.3 (Build 88)

snort -Afull says:

tcp header starts at: 0x1201ac1c4
spp_stream4.c:2335: Trying to get session...
spp_stream4.c:2341: Looking for sip: 0x789753D1 sp: 23  cip: 0x4A6DBFA8
cp: 2626 flags: ***AP***
spp_stream4.c:2349: GetSession forward didn't work, trying backwards...
spp_stream4.c:2355: Looking for sip: 0x4A6DBFA8 sp: 2626  cip: 0x789753D1
cp: 23 flags: ***AP***
spp_stream4.c:2364: Unable to find session
spp_stream4.c:2367: Found session
spp_stream4.c:981: Calling CreateNewSession()
spp_stream4.c:1919: [A] initializing new session (208 bytes)
spp_stream4.c:2130: Inserting session into session tree...
spp_stream4.c:1009: client packet: ***AP***
spp_stream4.c:1608: Server state: ESTABLISHED
spp_stream4.c:2494: Storing client packet (-1 bytes)
spp_stream4.c:2558: [A] Allocating 88 bytes for StreamPacketData
spp_stream4.c:2581: [A] Allocating -1 bytes for packet
Unable to allocate memory! (2095 bytes in use)
Fatal Error, Quitting..
[root at ...980... /usr/local/src/snort.20011126.debug]# 

I tried a memcap of 16000000.

tcp header starts at: 0x1201ac1c4
spp_stream4.c:2335: Trying to get session...
spp_stream4.c:2341: Looking for sip: 0x4A6DBFA8 sp: 2626  cip: 0x789753D1
cp: 23 flags: ***AP***
spp_stream4.c:2349: GetSession forward didn't work, trying backwards...
spp_stream4.c:2355: Looking for sip: 0x789753D1 sp: 23  cip: 0x4A6DBFA8
cp: 2626 flags: ***AP***
spp_stream4.c:2364: Unable to find session
spp_stream4.c:2367: Found session
spp_stream4.c:981: Calling CreateNewSession()
spp_stream4.c:1919: [A] initializing new session (208 bytes)
spp_stream4.c:2130: Inserting session into session tree...
spp_stream4.c:1009: client packet: ***AP***
spp_stream4.c:1608: Server state: ESTABLISHED
spp_stream4.c:2494: Storing client packet (-1 bytes)
spp_stream4.c:2558: [A] Allocating 88 bytes for StreamPacketData
spp_stream4.c:2581: [A] Allocating -1 bytes for packet
Unable to allocate memory! (2303 bytes in use)
Fatal Error, Quitting..

I ran it a third time watching top, free memory does decrease but never
runs out, never even getting to swap.  It says snort uses 4.2% of memory.

--
Jason Williams




On Thu, Nov 22, 2001 at 09:20:02PM -0500, Martin Roesch wrote:
> Hi Jason,
>      It sounds like you're running out of memory.  Has this changed with
> the latest builds at all?
> 
>      -Marty
> 
> Jason Williams wrote:
> > 
> > Perhaps I was going in the wrong direction.   The machine has 92 meg of
> > real and 72 meg of swap.
> > 
> > --
> > Jason
> > 
> > On Wed, Nov 07, 2001 at 10:40:56PM -0500, Martin Roesch wrote:
> > > Ok, silly question I suppose, but how much memory does you system have?
> > > The default memcap is 8 megs...
> > >
> > >      -Marty
> > >
> > > Jason Williams wrote:
> > > >
> > > > Thanks for your fast reply.  Sorry about the length of this message, it
> > > > has a couple of different outputs.
> > > >
> > > > Initially, I was using the default snort.conf:
> > > > preprocessor stream4: detect_scans
> > > > preprocessor stream4_reassemble
> > > >
> > > > After your mail, I changed it to a few different options:
> > > > preprocessor stream4: detect_scans, memcap 4000000
> > > > preprocessor stream4: detect_scans, memcap 2000000
> > > > preprocessor stream4: detect_scans, memcap 500000
> > > > preprocessor stream4: detect_scans, memcap 50000
> > > >
> > > > All caused similar errors, Unable to allocate memory! (2095 bytes in use)
> > > >
> > > > I even tried
> > > > preprocessor stream4: noinspect, memcap 50000
> > > > with the same result.
> > > >
> > > > Here is the most recent config with inspection:
> > > > --OUTPUT 1--
> > > > Initializing rule chains...
> > > > No arguments to frag2 directive, setting defaults to:
> > > >     Fragment timeout: 60 seconds
> > > >     Fragment memory cap: 4194304 bytes
> > > > Stream4 config:
> > > >     Stateful inspection: ACTIVE
> > > >     Session statistics: INACTIVE
> > > >     Session timeout: 30 seconds
> > > >     Session memory cap: 50000 bytes
> > > >     State alerts: INACTIVE
> > > >     Scan alerts: ACTIVE
> > > >     Log Flushed Streams: INACTIVE
> > > > No arguments to stream4_reassemble, setting defaults:
> > > >      Reassemble client: ACTIVE
> > > >      Reassemble server: INACTIVE
> > > >      Reassemble ports: 21 23 25 53 80 143 110 111 513
> > > >      Reassembly alerts: ACTIVE
> > > > Back Orifice detection brute force: DISABLED
> > > > Using LOCAL time
> > > > 882 Snort rules read...
> > > > 882 Option Chains linked into 92 Chain Headers
> > > > 0 Dynamic rules
> > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >
> > > > Rule application order: ->activation->dynamic->alert->pass->log
> > > >
> > > >         --== Initializing Snort ==--
> > > >
> > > > Initializing Network Interface eth0
> > > > Decoding Ethernet on interface eth0
> > > >
> > > >         --== Initialization Complete ==--
> > > >
> > > > -*> Snort! <*-
> > > > Version 1.8.2 (Build 86)
> > > > By Martin Roesch (roesch at ...402..., www.snort.org)
> > > > --END OUTPUT 1--
> > > >
> > > > I tried memcap 50000 with my debug-enabled version, also build 86.
> > > >
> > > > --OUTPUT 2--
> > > > tcp header starts at: 0x120819fd4
> > > > spp_stream4.c:2331: Trying to get session...
> > > > spp_stream4.c:2337: Looking for sip: 0xB80DB40 sp: 40615  cip: 0x6B9753D1
> > > > cp: 110 flags: ***AP***
> > > > spp_stream4.c:2345: GetSession forward didn't work, trying backwards...
> > > > spp_stream4.c:2351: Looking for sip: 0x6B9753D1 sp: 110  cip: 0xB80DB40
> > > > cp: 40615 flags: ***AP***
> > > > spp_stream4.c:2363: Found session
> > > > spp_stream4.c:1018: client packet: ***AP***
> > > > spp_stream4.c:1604: Server state: ESTABLISHED
> > > > spp_stream4.c:2490: Storing client packet (-1 bytes)
> > > > spp_stream4.c:2554: [A] Allocating 88 bytes for StreamPacketData
> > > > spp_stream4.c:2577: [A] Allocating -1 bytes for packet
> > > > Unable to allocate memory! (2095 bytes in use)
> > > > Fatal Error, Quitting..
> > > > --END OUTPUT 2--
> > > >
> > > > --
> > > > Jason Williams
> > > >
> > > > On Wed, Nov 07, 2001 at 09:36:00AM -0500, Martin Roesch wrote:
> > > > > Did you add a 'memcap' argument to your stream4 preprocessor directive
> > > > > in the snort.conf?  How are the stream4 and stream4_reassemble plugins
> > > > > configured?
> > > > >
> > > > >      -Marty
> > > > >
> > > > > Jason Williams wrote:
> > > > > >
> > > > > > This was the daily cvs build from November 5th.   The same problems were
> > > > > > experienced with 1.8.2 build 86 and 1.8.1-RELEASE.
> > > > > >
> > > > > > Redhat 6.2, Linux 2.2.14-6.0, on an Alpha.
> > > > > > Using all the rules that came with the default snort.conf.
> > > > > > Tried snort -Afull, snort -Afast
> > > > > > Error Messages:
> > > > > >
> > > > > > Pattern match failed
> > > > > >    => Checking Option Node 859
> > > > > > CheckIpOptions:   => Checking Option Node 860
> > > > > > CheckIpOptions:   => Checking Option Node 861
> > > > > > CheckIpOptions:   => Checking Option Node 876
> > > > > >            <!!> CheckFragBits: [rule: 0x20:0   pkt: 0x40] Normal test
> > > > > > failed
> > > > > > No match, continuing...
> > > > > > [*] Evaluating rule list: pass
> > > > > > [*] Evaluating rule list: log
> > > > > > Packet!
> > > > > > caplen: 4294967295    pktlen: 4294967295
> > > > > > 0   8
> > > > > > IP datagram size calculated to be 4294967281 bytes
> > > > > > ip header starts at: 0x120819f40, length is 4294967281
> > > > > > IP Checksum: OK
> > > > > > IP header length: 20
> > > > > > TCP th_off is 5, passed len is 26
> > > > > > TCP Checksum: OK
> > > > > > tcp header starts at: 0x120819f54
> > > > > > Unable to allocate memory! (2719 bytes in use)
> > > > > > Fatal Error, Quitting..
> > > > > >
> > > > > > The memory amount is not constant.  When not in debug mode, the error is:
> > > > > > FATAL ERROR: Unable to allocate memory! (1887 bytes in use)
> > > > > >
> > > > > > I believe it is part of stream4, which is why I tried the daily cvs
> > > > > > snapshot after I read about there being some problems with unset
> > > > > > variables.
> > > > > >
> > > > > > This was built with  ./configure
> > > > > > --with-libpcap-includes=/usr/local/src/libpcap-0.6.2 --enable-debug
> > > > > >
> > > > > > The only change made to snort.conf was var HOME_NET.
> > > > > >
> > > > > > I also ran a copy without --enable-debug, and with libpcap-0.4, to the
> > > > > > same end.  I have had snort run on this machine before, but it was several
> > > > > > versions ago.
> > > > > >
> > > > > > --
> > > > > > Jason Williams
> > > > > >
> > > > > > _______________________________________________
> > > > > > Snort-devel mailing list
> > > > > > Snort-devel at lists.sourceforge.net
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > >
> > > > > --
> > > > > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > > > > roesch at ...402... - http://www.sourcefire.com
> > > > > Snort: Open Source Network IDS - http://www.snort.org
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> > > --
> > > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > > roesch at ...402... - http://www.sourcefire.com
> > > Snort: Open Source Network IDS - http://www.snort.org
> 
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org
> 
> 




More information about the Snort-devel mailing list