[Snort-users] OpenPcap() (doc typo)

Justin Heath justin.heath at ...11827...
Wed Jun 21 10:53:38 EDT 2006


No problem.

Thanks for the report on the typo.


On 6/21/06, Gentoo-Wally <gentoowally at ...11827...> wrote:
>
> FYI this was exactly the problem. Just wanted to post to note that
> there is a typo in the 2.6.0 doc's in the config detection section...
>
> – ac-sparebands Aho-Corasick Sparse-Banded (small memory, high
> performance)
>
> Should probably be...
>
> – ac-sparSebands Aho-Corasick Sparse-Banded (small memory, high
> performance)
>
> Thx for the help,
> Wally
>
>
> On 6/20/06, Gentoo-Wally <gentoowally at ...11827...> wrote:
> > That is probably exactly what I'm looking for. Thx for the reminder.
> >
> > Wally
> >
> > On 6/20/06, Justin Heath <justin.heath at ...11827...> wrote:
> > > This was posted from Steve Sturges a little while back on snort-users:
> > >
> > >  "As noted in the RELEASE.NOTES, there was a change in the
> > >  default pattern matching engine from Wu-Manber to standard
> > >  Aho-Corasick which is faster but consumes more memory.
> > >
> > >  This effectively replaced an implicit config of
> > >
> > >  config detection: search-method mwm
> > >
> > >  with
> > >
> > >  config detection: search-method ac
> > >
> > >  The Aho-Corasick implementation in snort has a few different
> > >  memory models, standard, full, banded, sparse, and sparse
> > >  banded.  The sparse and spare-banded ones consume much less
> > >  memory... To use them, add a snort.conf line, as desired,
> > >  for example.  Wu-Manber is being deprecated in the next
> > >  release.
> > >
> > >  config detection: search-method ac-sparsebands
> > >
> > >  There is also the lowmem method, which is slow, but uses
> > >  very little memory."
> > >
> > >
> > > On 6/20/06, Gentoo-Wally <gentoowally at ...11827...> wrote:
> > > > Thx. So do you think a jump from 25% usage in 2.4.5 to 90% usage in
> > > > 2.6.0 on a machine with 1Gb ram should be expected?
> > > >
> > > > On 6/20/06, Joel Esler <joel.esler at ...1935... > wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > Snort 2.6 uses more memory than it's predecessors.  The OpenPcap
> msg you
> > > > > saw is normal, it's just telling you that there is no IP assigned
> to the
> > > > > sniffing interface (eth0).  Which, if you are using a promisc card
> > > > > interface with no IP, is exactly what you want...
> > > > >
> > > > > Joel
> > > > >
> > > > > Gentoo-Wally wrote:
> > > > > > I've started looking at snort 2.6.0 and have run into something
> > > strange.
> > > > > >
> > > > > > Compile info:
> > > > > > 1. gcc 4.1.1
> > > > > > 2. ./configure --enable-dynamicplugin
> --enable-dependency-tracking
> > > > > > --with-libpcap-includes=/usr/include/
> > > > > > --with-libpcap-libraries=/usr/lib/
> > > > > > 3. Have tried libpcap 0.9.4 and the current version of phil
> woods
> > > libpcap
> > > > > > 4. Gentoo Linux box
> > > > > > 5. 'ifconfig eth0 up promisc' to bring the interface up
> > > > > >
> > > > > > No errors during ./configure && make && make install
> > > > > >
> > > > > > when I start snort it hangs for 15-30 seconds at...
> > > > > >
> > > > > > Initializing Network Interface eth0
> > > > > > OpenPcap() device eth0 network lookup:
> > > > > >         eth0: no IPv4 address assigned
> > > > > > Decoding Ethernet on interface eth0
> > > > > >
> > > > > >
> > > > > > I'm starting it like this..
> > > > > >
> > > > > > /usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
> > > > > > /usr/local/etc/snort/snort.conf
> > > > > >
> > > > > > also tried...
> > > > > >
> > > > > > /usr/local/bin/snort -i eth0 -l /var/log/snort -c
> > > > > > /usr/local/etc/snort/snort.conf
> > > > > >
> > > > > >
> > > > > > At this point memory consumption sky rockets to 95% usage even
> with
> > > > > > all preprocessors except flow turned off. After about 30 seconds
> it
> > > > > > finishes initializing and appears to work correctly but at 95%
> memory
> > > > > > consumption and swap usage begins kicking in.
> > > > > >
> > > > > > I googled the OpenPcap message but found nothing that seems
> relevant
> > > > > > to my situation.
> > > > > >
> > > > > > I also have a snort 2.4.5 install on the same box. When it
> starts I do
> > > > > > not see the OpenPcap message and it works flawlessly at around
> 18-24%
> > > > > > mem usage with all preprocessors on.
> > > > > >
> > > > > > I also tried compiling 2.6.0 without the new dynamic
> preprocessors or
> > > > > > the dep tracking and I still get the openpcap message and crazy
> mem
> > > > > > usage.
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > Wally
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users at lists.sourceforge.net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > >
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > >
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > >
> > > > >
> > > > > - --
> > > > >
> > >
> +---------------------------------------------------------------------+
> > > > > Joel Esler           Senior Security Consultant
> 1-706-627-2101
> > > > > Sourcefire    Security for the /Real/ World --
> http://www.sourcefire.com
> > > > > Snort - Open Source Network IPS/IDS -- http://www.snort.org
> > > > > GPG Key http://demo.sourcefire.com/jesler.pgp.key
> > > > >
> > >
> +---------------------------------------------------------------------+
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG v1.4.3 (Darwin)
> > > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > > > >
> > > > >
> > > iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3
> > > > > cxap2QpG64S7+k8Tr2UOvLQ=
> > > > > =xdKQ
> > > > > -----END PGP SIGNATURE-----
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > >
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060621/a371c200/attachment.html>


More information about the Snort-users mailing list