[Snort-users] Memory leak

Martin Roesch roesch at ...1935...
Sat Jun 2 23:19:11 EDT 2001


Theoretically, you should be able to drop the updated code from the 1.8
preprocessors into 1.7, recompile and run.  That's not a 100% guarantee,
but it's possible.  At the very least you should be able to put the
updated stream2 code into 1.7 and it should work...

    -Marty

Sid wrote:
> 
> Hi,
> 
> Yup, things are better after turning off defrag and Spade. But are these
> fixed somewhere or do i have to wait for 1.8 to roll out?
> 
> Siddhartha
> 
> ----- Original Message -----
> From: "Martin Roesch" <roesch at ...1935...>
> To: "Sid" <s_i_d_j at ...131...>
> Cc: "Fyodor" <fygrave at ...121...>; <william.c.gercken at ...1971...>; "Erek
> Adams" <erek at ...577...>; <snort-users at lists.sourceforge.net>;
> <snort-users-admin at lists.sourceforge.net>
> Sent: Friday, May 04, 2001 9:06 AM
> Subject: Re: [Snort-users] Memory leak
> 
> > Ok, try turning off the defrag plugin too and tell us how it goes....
> >
> >     -Marty
> >
> > Sid wrote:
> > >
> > > Hmm ... My available memory is down to 550 MB after eight hours of
> running
> > > snort 1.7 ... me thinks its something other than Spade (i turned it
> off).
> > >
> > > Btw, i am still getting the same crashes with Snort 1.8beta4 (Build 15).
> > >
> > > Siddhartha
> > >
> > > ----- Original Message -----
> > > From: "Martin Roesch" <roesch at ...1935...>
> > > To: "Sid" <s_i_d_j at ...131...>
> > > Cc: "Fyodor" <fygrave at ...121...>; <william.c.gercken at ...1971...>;
> "Erek
> > > Adams" <erek at ...577...>; <snort-users at lists.sourceforge.net>;
> > > <snort-users-admin at lists.sourceforge.net>
> > > Sent: Thursday, May 03, 2001 9:16 PM
> > > Subject: Re: [Snort-users] Memory leak
> > >
> > > > Turn off SPADE and see if it continues...
> > > >
> > > >    -Marty
> > > >
> > > > Sid wrote:
> > > > >
> > > > > ----snort.conf-------
> > > > > var INTERNAL [x.x.x.x/24,y.y.y.y/16]
> > > > > var EXTERNAL any
> > > > > var SMTP $INTERNAL
> > > > > var HTTP_SERVERS $INTERNAL
> > > > > var DNS_SERVERS [a.a.a.a/32,b.b.b.b/32]
> > > > >
> > > > > preprocessor minfrag: 256
> > > > > preprocessor defrag
> > > > > preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
> > > > > preprocessor http_decode: 80
> > > > > preprocessor portscan: $INTERNAL 4 3 portscan.log
> > > > > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > > > >
> > > > > var SPADEDIR /usr/local/snort/spade
> > > > > preprocessor spade: 10.5 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3
> 50000
> > > > > preprocessor spade-homenet: 202.87.0.0/16
> > > > > preprocessor spade-threshlearn: 200 24
> > > > > preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> > > > > preprocessor spade-stats: entropy uncondprob condprob
> > > > >
> > > > > output database: alert, mysql, user=root password=xxxx dbname=snort
> > > > > host=localhost
> > > > > output alert_full: alert
> > > > > -------------------------------------------------------------
> > > > >
> > > > > cmdline switches :-
> > > > > -----------------------
> > > > > /usr/local/snort/bin/snort -D -d -C -i hme1 -c
> > > > > /usr/local/snort/conf/snort.conf -l /usr/local/snort/log/snort
> > > > > -----------------------
> > > > >
> > > > > Siddhartha
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Fyodor" <fygrave at ...121...>
> > > > > To: "Sid" <s_i_d_j at ...131...>
> > > > > Cc: "Martin Roesch" <roesch at ...1935...>;
> > > <william.c.gercken at ...1971...>;
> > > > > "Erek Adams" <erek at ...577...>;
> > > <snort-users at lists.sourceforge.net>;
> > > > > <snort-users-admin at lists.sourceforge.net>
> > > > > Sent: Thursday, May 03, 2001 9:05 PM
> > > > > Subject: Re: [Snort-users] Memory leak
> > > > >
> > > > > > On Thu, May 03, 2001 at 08:43:32PM +0530, Sid wrote:
> > > > > > > No guys!!! This is Snort 1.7. On Solaris 2.6/UltraSparc-II
> (Dual, 1
> > > GB
> > > > > RAM).
> > > > > > >
> > > > > >
> > > > > > can we see your snort.conf and cmdline switches if possible? :)
> > > > >
> > > > > _________________________________________________________
> > > > > Do You Yahoo!?
> > > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > >
> > > > --
> > > > Martin Roesch
> > > > roesch at ...1935...
> > > > http://www.sourcefire.com - http://www.snort.org
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> > --
> > Martin Roesch
> > roesch at ...1935...
> > http://www.sourcefire.com - http://www.snort.org
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list