[Snort-devel] Re: Snort 2.0 on OpenBSD 3.3 Errors Out Post-Init (bug?)

Daniel J. Roelker droelker at ...402...
Mon Apr 21 06:22:06 EDT 2003


Make sure that your ulimit is set appropriately when running snort. 
Marc and I ran into some problems when we were first developing this
engine on OpenBSD because the ulimit was set too low for the user.  So
check that out.

ulimit -a : will show you what the current ones are for that user (in
your case the snort user)
ulimit -m : set this to unlimited for the snort user.

Let me know how that works for you.

Dan

On Fri, 2003-04-18 at 11:39, James Webb wrote:
> 256MB RAM + 512MB in Swap
> 
> Prior to running Snort v2, memory totals & allocation:
> 
> Memory: Real: 8164K/40M act/tot  Free: 206M  Swap: 0K/512M used/tot
> 
> While Snort is running:
> 
> Memory: Real: 48M/80M act/tot  Free: 166M  Swap: 0K/512M used/tot
> 
> Process size shows up as 40M...
> 27036 snort     36    0   40M   40M run   -        0:00  2.93% snort
> 
> Thanks,
> -JTW
> >>> Martin Roesch <roesch at ...402...> 04/18/03 10:59AM >>>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> How much RAM do you have on this machine?
> 
>       -Marty
> 
> On Friday, April 18, 2003, at 10:50 AM, James Webb wrote:
> 
> > Snort Developers,
> >
> > I haven't been able to locate a mailinglist posting or other info on
> > the web regarding certain errors(below)..so I am submitting problem
> for
> > evaluating as potential bug.
> >
> > I have posted query to misc at ...76... to see if anyone else has
> been
> > able to use snort v2 on openbsd 3.3 without seeing these issues, and
> no
> > response as of yet.  Please disregard and accept my apologies for
> the
> > spam if this is known config issue.
> >
> > Thanks,
> > -JTW
> >
> > Details
> > ==================
> > System Architecture: (x86)
> > Operation System: (OpenBSD3.3 stable branch)
> > Version of Snort: Version 2.0.0 (Build 72)
> > Preprocessors: frag2,
> >                          stream4:detect_scans,
> disable_evasion_alerts,
> >                          stream4_reassemble
> >                          http_decode: 80 unicode iis_alt_unicode
> > double_encode iis_flip_slash full_whitespace
> >                          rpc_decode: 111 32771
> >                          telnet_decode
> >
> >
> > Snort cmd-line: /usr/local/bin/snort -y -e -d -z -A full -b -u snort
> -g
> > nobody  -c /home/snort/conf/snort.conf -i xl0 -l
> /home/snort/LOGS/$DATE
> > -L packet.log
> >
> > The following rules in snort.conf generate these errors:
> >
> > exploit.rules    -yields-   ERROR: No memory in
> > mwmPrephashedPatternGroups()Fatal Error, Quitting...
> > scan.rules       -yields-   ERROR: No memory in
> > mwmPrephashedPatternGroups()Fatal Error, Quitting...
> > rpc.rules         -yields-   Memory Fault
> > dos.rules         -yields-   ERROR: No memory in
> > mwmPrephashedPatternGroups()Fatal Error, Quitting...
> > ddos.rules       -yields-   ERROR: No memory in
> > mwmPrephashedPatternGroups()Fatal Error, Quitting...
> > web-cgi-rules   -yields-   No memory - file:fpcreate.c
> pmx-uricontent
> > !
> > web-iis.rules    -yields-   ERROR: No memory in
> > mwmPrephashedPatternGroups()Fatal Error, Quitting...
> > web-misc.rules  -yields- Memory Fault
> >
> > If these rules are commented out Snort v2.0.0 (Build 72) runs with
> no
> > problems;
> > also these rules generate no issues with Snort v1.9.1
> >
> >
> - -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch at ...402... - http://www.sourcefire.com 
> Snort: Open Source Network IDS - http://www.snort.org 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (Darwin)
> 
> iD8DBQE+oBLlqj0FAQQ3KOARAtTSAJ9LzQA9/AnEpgutL2BirpFtNb1IUgCfTesR
> xRiZdBpMZp2gB7jx+JibOUw=
> =ui7e
> -----END PGP SIGNATURE-----
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-devel mailing list