[Snort-devel] Re: possible memory leak in 2.2.0RC1

Martin Roesch roesch at ...402...
Wed Aug 4 15:52:00 EDT 2004


I think this is patched in CVS.  Jeremy?

      -Marty


On Aug 4, 2004, at 1:29 PM, Joshua Fritsch wrote:

> Hello,
>
> After upgrading to snort 2.2.0RC1 we started seeing frequent crashes 
> due
> to what seems to be a memory leak. If monitoring via top you can watch 
> the
> usage go from zero to over 100MB in just a few minutes when loading 
> only
> two rules (same behavior when loading full rule set). Once the system 
> runs
> out of physical memory, snort dies.
>
> Below is the information requested in the BUGS file - - please let me 
> know
> if I can be of further assistance.
>
> -J
>
> ####################################
>
> * OpenBSD 3.2 on x86
> * Snort v2.2.0RC1
> * Standard rule set (dl from snort.org)
> * Preprocessors:
> preprocessor frag2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> preprocessor telnet_decode
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor flow: stats_interval 0 hash 2
>
> * Using the DB output plugin for MySQL backend (tried with and without)
> * Called via the following strings (tried both):
>
> snort -c /path/to/snort -u snort -g snort -dev -l /path/to/log -i fxp1 
> -D
> snort -c /path/to/snort -u snort -g snort -l /path/to/log -b -i fxp1 -D
>
> * Taken from /var/log/messages:
>
> Aug  4 12:06:05 nyids1 snort: FATAL ERROR: Unable to allocate memory!
> (67658 bytes in use)
>
> * No core file
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list