[Snort-devel] problem running snort 2.9.4 against a bridge interface (br0)

Tony Robinson deusexmachina667 at ...2499...
Sat Dec 15 00:35:32 EST 2012

I know that daq afpacket can handle bridging interfaces, but you should
still be able to run snort against a bridge interface in 2.9.4? Or was that
something I missed in the release notes?

I'm running into a problem where snort was failing to start and failing to
write to Syslog. Undaunted, I attempt to start snort manually with the
following command syntax:
/usr/local/snort/bin/snort -D -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i br0 (bro is bridging eth1 and eth2)
..and I end up with the following error after the system tells me that it
made a process for snort:
Spawning daemon child...
fork: Cannot allocate memory

I did google-fu this error before coming here and most articles seem to
point towards "not enough memory on system" or "are you on a VPS?"

-System is running in a virtual machine (ESXi 5.0.0)
-System is running on Ubuntu 12.04 64-bit with 1gb of memory (virtual
-System had 800mb+ of free memory when command execution begins (running
"watch free -m")
-Drops down to 300mb of free memory before getting the error above and just
giving up on starting or writing to the log or spawning the process (again,
"watch free -m"), still plenty of memory for it to try to claim
-the last lines in the log are:
CG snort[1448]: pcap DAQ configured to passive.
CG snort[1448]: Acquiring network traffic from "br0".
CG snort[1448]: Initializing daemon mode
..then nothing else from snort in the logs. No warns, no FATALs, nothing.
-ran ulimit -a for the root user and the snort user to verify that I'm not
putting any artificial resource limits on the snort user or root user. both
snort and the root user have access to "unlimited" resources.

I'm at a loss as to why this is happening. Just to ensure that the problem
wasn't with me trying to run snort against a bridge interface, I configured
snort to run against eth1 instead, resulting in the same error. This
problem also occurs after a reboot (I rebooted the box because some windows
habits die hard.)

I have an strace on my system from running this command, but wanted to post
here to see if maybe this was a known bug, issue, or if this is even an
issue/bug at all and I'm just 'doing it wrong' before bothering to post it.

OS: ESXi 5.0.0
VM: Ubuntu 12.04 64-bit
Snort 2.9.4 (text rules from 2931 registered users snapshot; configured via
pulled pork (security ruleset); NO SO rules enabled(pp with -T option);
compiled with --prefix=/usr/local/snort --enable-sourcefire and no other

I have another Ubuntu 12.04 vm (32-bit) configured to listen against eth1
and do not experience this problem at all.

Any ideas?


when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121215/317bfea8/attachment.html>

More information about the Snort-devel mailing list