[Snort-users] spp_tcp_stream2.c, "Not enough memory"

Phil Wood cpw at ...440...
Fri Jun 8 16:24:54 EDT 2001


Folks,

I've got a 4G machine running 2.4.4 Linux (config'd to use 4G).  Snort
Version 1.8-beta5 (Build 24), exit(1)'s in spp_tcp_stream2.c after
a malloc failure with the message:

  Not enough memory!

I modified spp_tcp_stream2.c to use this subroutine:

   # char meminfo_buff[1024];
   # char *meminfo = "/proc/meminfo";
   # void print_meminfo (char *, int );
   ...

   # void print_meminfo (char *message, int memsize)
   # {
   #     int fd;
   #     int size;
   # 
   #     printf ("%s, memsize is %d\n", message, memsize);
   #     if ((fd = open (meminfo, O_RDONLY)) > 0)
   #     {
   #         if ((size = read (fd, meminfo_buff, 1024)) > 0)
   #         {
   #             meminfo_buff[size] = 0;
   #             printf ("%s\n", meminfo_buff);
   #         }
   #         close (fd);
   #     }
   # }

instead of printf.  Then, I waited for a day and here is what I got:

   # Not enough memory(2)!, memsize is 1460
   #       total:     used:      free:      shared: buffers: cached:
   # Mem:  4022599680 3480231936 542367744        0 55443456 1958895616
   # Swap: 542826496        0 542826496
   # MemTotal:      3928320 kB 
   # MemFree:        529656 kB 
   # MemShared:           0 kB
   # Buffers:         54144 kB
   # Cached:        1912984 kB
   # Active:           2740 kB
   # Inact_dirty:   1964388 kB
   # Inact_clean:         0 kB
   # Inact_target:      100 kB
   # HighTotal:     3080184 kB
   # HighFree:         2036 kB
   # LowTotal:       848136 kB
   # LowFree:        527620 kB
   # SwapTotal:      530104 kB 
   # SwapFree:       530104 kB

Snort is running "unlimited" in regards to memory:

   # ulimit -a
   # core file size (blocks)     unlimited
   # data seg size (kbytes)      unlimited
   # file size (blocks)          unlimited
   # max locked memory (kbytes)  unlimited
   # max memory size (kbytes)    unlimited
   # open files                  1024
   # pipe size (512 bytes)       8
   # stack size (kbytes)         8192
   # cpu time (seconds)          unlimited
   # max user processes          8192
   # virtual memory (kbytes)     unlimited

So, does anyone have an idea or two about what might be going on?  I might
be mis-reading the meminfo, but it appears that I still have some memory.
What is also interesting is that snort is using a large amount of memory
3480231936 when it decides to exit.  Actually, there is another snort
process running which uses about 15% of what this one does.  So, although
I don't have the facts, I'd say that it was running with about 3 Gig of 
memory.  Seems a bit much.  I'd entertain suggestions on how to improve
the debug.  Should I cause a segmentation fault instead of exit?  I'm ready
for some ideas?

Thanks,

Phil




More information about the Snort-users mailing list