[Snort-users] Snort-2.0 "buglet"? Wrong error on out-of-memory error

Jason Haar Jason.Haar at ...294...
Tue Jun 17 17:37:12 EDT 2003

I run snort-2.0 under softlimit to ensure snort never runs off and swallows
all the RAM on the system:


exec /usr/local/bin/softlimit -o 100 -a 70000000 \
 /usr/sbin/snort.20 -i eth1 -c /etc/snort20/host.conf \
 -U -y -u snort -g snort -e -o -I -l log \
 -t /var/log/snort not esp and not src host this_host

Anyway, I decided to reconfigure snort to use a whole buncha extra rules,
and it crashed at startup:

Rule application order: ->pass->activation->dynamic->alert->log->tagged
ERROR: Absdir is not a subset of the logdirFatal Error, Quitting..

Huh? Well yeah - I'm running it in a jail, etc. But after some farting
around I realised it was nothing to do with the logfile locations - it was
just that the extra rules had pushed snort's memory usage above 60M. So I
banged it up to 70 and away it's gone.

So the question is: can memory issues be caught earlier and reported as such
- instead of totally non-related errors like that occurring?



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list