[Snort-users] snort >= 2.1.2 on OpenBSD -current and memory limits

Jon Hart warchild at ...8039...
Tue Apr 27 19:54:14 EDT 2004


Hi,

I've rambled about this problem on and off in #snort a few times.  

I'm running OpenBSD 3.5 -current, and I've tried both Snort 2.1.2 from
ports and 2.1.2 and 2.1.3RC1 from source.  My snort.conf is mostly
default, the only exception being I'm using some of the rule files that
are disabled by default.

The problem is this:

	FATAL ERROR: No memory in mwmPrephashedPatternGroups() Try
	uncommenting the "config detection: search-method"in snort.conf

I'd much rather not settle for a sub-optimal search method.  This
machine has 256M of RAM (plus 256M of swap), and does little else except
some light firewall duties.  Something somewhere is killing snort,
because once is tries to malloc() more than 64M in total, further
malloc()s fail.  It just so happens that this particular malloc() is in
sfutil/mwm.c.

A week or more ago I thought I had it figured out.  /etc/login.conf
looked to be imposing memory limits on the group that my snort user was
in, so I bumped it up higher.  This worked for a bit until I updated my
ruleset.  As luck would have it, the additional rules again bumped me up
over some memory limit, and once again the same malloc() is failing.
Now regardless of how high I put the limits, the malloc still fails.

I can verify this by running some simple C code that mallocs ~64M of
memory.  It'll fail.  It will also fail if I run the same code as root,
which makes me think that /etc/login.conf is no longer at fault.  I
recall earlier this week on the OpenBSD lists one of the developers
talking about memory (stack?) limitations on the Sparc, and that they
would never go over 8M.  This makes me think that somewhere there is a
memory limit I don't know about.

So.... does anyone here use Snort on a truly current openbsd box?  If
so, what did you do to get it to work.


Thanks,

-jon






More information about the Snort-users mailing list