[Snort-devel] memory leak or .. ?

Martin Roesch roesch at ...402...
Wed Oct 3 07:01:04 EDT 2001


Pascal Bouchareine wrote:
> 
> Hi,
> 
> Love your thingie. It's running almost very fine on a distributed
> sensors architecture and handles totally around 200Mb/s of traffic
> with great results.

Cool.

> However, I have some noticeable problems with it :)
> 
> First, i use some of snort's rules to handle "flux enforcement". This is,
> i have a *lot* of ip addresses/classes and the like, put in some variables,
> and i have rules such as:
> 
> alert tcp !$MYSQL 3306 -> any any (msg: "new mysql 3 server"; \
>                    flags: A+; content: "|2e 00 00 00 0a 33 2e|"; offset: 0; \
>                    depth: 7; classtype: policy;)
> 
> I had to "patch" snort to be able to handle very-long-lines (>1024 chars)
> and very-long-variables (>256 IIRC). I did as in [1]. I though maybe you
> would like to know.

The max size for a single line in Snort's config files is 256 bytes. 
Using the continuation character ("\") at the end of a line, you can
extend a single Snort rule line to 8k worth of data.

> My second problem is a bit complicated for me. Snort eats around 2/4k of memory
> per second, which sounds normal since you are caching data, but at some point,
> it comes out with:
> 
> Oct  2 11:01:02 snoop3 snort: Ran out of space
> Oct  2 11:01:02 snoop3 snort: Ran out of space
> Oct  2 11:01:02 snoop3 snort: Got NULL *froot in ReassembleIP(), please tell Dragos
> 
> Oops. I'm guessing this is my fault - but i want to be sure. The system handles
> around 80Mb/s on the following configuration:
> 
> Bi intel pIII-800 (some va-linux hw), FreeBSD 4.2-RELEASE, 512Mb of RAM.
> Snort is 1.8.1-RELEASE, the preprocessors are configured as follow:
> 
> preprocessor defrag

This is your probable memory leaker.  Use 'preprocessor frag2' instead,
it's leak free.

> preprocessor stream4: detect_scans, noinspect
> preprocessor stream4_reassemble: clientonly, ports 21 23 25 53 80 110 111 143
> preprocessor telnet_decode
> preprocessor http_decode: 80 -unicode
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> 
> Which, IIRC, should be able to handle 65535 simultaneous TCP flows, not
> more - is the Ran out of space is linked to this fact ?

Nope, that message is generated by the old defrag preprocessor.  The
stream4 code has its own memory management and is leak free (and tested
to extremis for this fact).


     -Marty


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list