[Snort-users] Snort 2.6.0.2 (Build 85) - pfault

Chris U chris.uyehara at ...11827...
Fri Oct 20 04:37:54 EDT 2006


Hi Snort Users,

I just wanted to say thanks for helping me out... It has come to my
attention that Snort 2.6 consumes a vast amount of memory. [when
compared to previous releases, 2.4.x]

My solution was to uncomment "config detection: search-method lowmem"

Snort *now* runs smoothly, consuming between 40-60 mb of ram.

Thanks again,
Chris

On 10/19/06, rmkml <rmkml at ...953...> wrote:
> Hi Chris,
> snort26 use more memory and maybe freebsd vm killed snort process ...
> what is on your log (syslog) ?
> how memory you have ?
> Regards
> Rmkml
>
>
>
> On Thu, 19 Oct 2006, Chris U wrote:
>
> > Date: Thu, 19 Oct 2006 16:50:00 -1000
> > From: Chris U <chris.uyehara at ...11827...>
> > To: Snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault
> >
> > Hi Snort Users,
> >
> > I'm in need of some help... I am using FreeBSD 5.5 [Generic Kernel]. I
> > installed Snort via ports. When I run snort with the following command
> > line: "snort -i sis0 -v -c snort.conf -l ./logs" Snort trys to
> > startup... what really happens... snort begins to consume RAM, once
> > RAM has been fully consumed it consumes SWAP. Once SWAP is full, Snort
> > will die and pfault - or so says top. I have included a snippet of
> > output from top and snort. A nicely printed version is available at
> > http://tinyurl.com/yxdekg
> >
> > Any help would be greatly appreciated!
> >
> > Mahalo,
> > Chris
> >
> > ~~~~~~~~~~~~~ BEGIN top snippet ~~~~~~~~~~~~~
> >  PID USERNAME PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
> >  471 root     124    0   194M   193M RUN      0:38 93.03% 80.47% snort
> >  440 root      96    0  2260K  1092K RUN      0:06  1.76%  1.76% top
> > ~~~~~~~~~~~~~ END top snippet ~~~~~~~~~~~~~
> >
> > ~~~~~~~~~~~~~ BEGIN snort snippet ~~~~~~~~~~~~~
> > [root at ...13955... /usr/local/etc/snort]# snort -i sis0 -v -c snort.conf -l ./logs
> > Running in IDS mode
> >
> >        --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > -------------------------------------------------
> > Keyword     |       Preprocessor @
> > -------------------------------------------------
> > rpc_decode   :       0x808ee34
> > bo           :       0x808e190
> > telnet_decode:       0x809bbc8
> > stream4      :       0x8090820
> > stream4_reassemble:       0x8091e2c
> > stream4_external:       0x80918ec
> > frag2        :       0x80a8134
> > arpspoof     :       0x808d798
> > arpspoof_detect_host:       0x808d8c0
> > http_inspect :       0x80a1b70
> > http_inspect_server:       0x80a1b70
> > PerfMonitor  :       0x809c250
> > flow         :       0x80a4e84
> > flow-portscan:       0x80b27fc
> > sfportscan   :       0x80a7370
> > frag3_global :       0x80aa608
> > frag3_engine :       0x80aa714
> > -------------------------------------------------
> >
> > -------------------------------------------------
> > Keyword     |      Plugin Registered @
> > -------------------------------------------------
> > content      :      0x8080ae0
> > content-list :      0x8080a18
> > offset       :      0x8080c30
> > depth        :      0x8080d7c
> > nocase       :      0x8080edc
> > rawbytes     :      0x8080fd0
> > regex        :      0x80812c4
> > uricontent   :      0x8080b88
> > distance     :      0x8081024
> > within       :      0x8081174
> > replace      :      0x807f160
> > flags        :      0x8085544
> > itype        :      0x807d340
> > icode        :      0x807c928
> > ttl          :      0x8086154
> > id           :      0x807e140
> > ack          :      0x8085370
> > seq          :      0x8085c8c
> > dsize        :      0x807c2d0
> > ipopts       :      0x807eb50
> > rpc          :      0x80844a8
> > icmp_id      :      0x807ce10
> > icmp_seq     :      0x807d0a8
> > session      :      0x8084bdc
> > tos          :      0x807e878
> > fragbits     :      0x807d824
> > fragoffset   :      0x807ddd8
> > window       :      0x8085e3c
> > ip_proto     :      0x807e380
> > sameip       :      0x807e6fc
> > flow         :      0x8086704
> > byte_test    :      0x8086f24
> > byte_jump    :      0x8087964
> > isdataat     :      0x8088ec4
> > pcre         :      0x8088390
> > flowbits     :      0x80898d0
> > asn1         :      0x808a604
> > react        :      0x8082b20
> > resp         :      0x8083a60
> > ftpbounce    :      0x808acb0
> > urilen       :      0x808b1c8
> > -------------------------------------------------
> >
> > -------------------------------------------------
> > Keyword     |          Output @
> > -------------------------------------------------
> > alert_syslog :       0x807449c
> > log_tcpdump  :       0x8079254
> > database     :       0x807647c
> > alert_fast   :       0x80738c0
> > alert_full   :       0x8073f30
> > alert_unixsock:       0x8074f5c
> > alert_CSV    :       0x807546c
> > log_null     :       0x8079184
> > log_unified  :       0x807af98
> > alert_unified:       0x807acec
> > unified      :       0x8079974
> > log_ascii    :       0x807b83c
> > -------------------------------------------------
> >
> > Parsing Rules file snort.conf
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
> > Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
> > Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
> > Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
> > Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
> > Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
> > Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
> > Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
> > Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
> > Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
> > Var 'AIM_SERVERS' defined, value len = 185 chars
> >   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> >   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > Var 'RULE_PATH' defined, value len = 7 chars, value = ./rules
> > ,-----------[Flow Config]----------------------
> > | Stats Interval:  0
> > | Hash Method:     2
> > | Memcap:          10485760
> > | Rows  :          4099
> > | Overhead Bytes:  16400(%0.16)
> > `----------------------------------------------
> > Frag3 global config:
> >    Max frags: 65536
> >    Fragment memory cap: 4194304 bytes
> > Frag3 engine config:
> >    Target-based policy: FIRST
> >    Fragment timeout: 60 seconds
> >    Fragment min_ttl:   1
> >    Fragment ttl_limit: 5
> >    Fragment Problems: 1
> >    Bound Addresses: 0.0.0.0/0.0.0.0
> > Stream4 config:
> >    Stateful inspection: ACTIVE
> >    Session statistics: INACTIVE
> >    Session timeout: 30 seconds
> >    Session memory cap: 8388608 bytes
> >    Session count max: 8192 sessions
> >    Session cleanup count: 5
> >    State alerts: INACTIVE
> >    Evasion alerts: INACTIVE
> >    Scan alerts: INACTIVE
> >    Log Flushed Streams: INACTIVE
> >    MinTTL: 1
> >    TTL Limit: 5
> >    Async Link: 0
> >    State Protection: 0
> >    Self preservation threshold: 50
> >    Self preservation period: 90
> >    Suspend threshold: 200
> >    Suspend period: 30
> >    Enforce TCP State: INACTIVE
> >    Midstream Drop Alerts: INACTIVE
> >    Server Data Inspection Limit: -1
> > WARNING snort.conf(408) => flush_behavior set in config file, using
> > old static flushpoints (0)
> > Stream4_reassemble config:
> >    Server reassembly: INACTIVE
> >    Client reassembly: ACTIVE
> >    Reassembler alerts: ACTIVE
> >    Zero out flushed packets: INACTIVE
> >    Flush stream on alert: INACTIVE
> >    flush_data_diff_size: 500
> >    Reassembler Packet Preferance : Favor Old
> >    Packet Sequence Overlap Limit: -1
> >    Flush behavior: Small (<255 bytes)
> >    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
> >    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
> > 513 1433 1521 3306
> > HttpInspect Config:
> >    GLOBAL CONFIG
> >      Max Pipeline Requests:    0
> >      Inspection Type:          STATELESS
> >      Detect Proxy Usage:       NO
> >      IIS Unicode Map Filename: ./unicode.map
> >      IIS Unicode Map Codepage: 1252
> >    DEFAULT SERVER CONFIG:
> >      Ports: 80 8080 8180
> >      Flow Depth: 300
> >      Max Chunk Length: 500000
> >      Inspect Pipeline Requests: YES
> >      URI Discovery Strict Mode: NO
> >      Allow Proxy Usage: NO
> >      Disable Alerting: NO
> >      Oversize Dir Length: 500
> >      Only inspect URI: NO
> >      Ascii: YES alert: NO
> >      Double Decoding: YES alert: YES
> >      %U Encoding: YES alert: YES
> >      Bare Byte: YES alert: YES
> >      Base36: OFF
> >      UTF 8: OFF
> >      IIS Unicode: YES alert: YES
> >      Multiple Slash: YES alert: NO
> >      IIS Backslash: YES alert: NO
> >      Directory Traversal: YES alert: NO
> >      Web Root Traversal: YES alert: YES
> >      Apache WhiteSpace: YES alert: NO
> >      IIS Delimiter: YES alert: NO
> >      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> >      Non-RFC Compliant Characters: NONE
> >      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> > rpc_decode arguments:
> >    Ports to decode RPC on: 111 32771
> >    alert_fragments: INACTIVE
> >    alert_large_fragments: ACTIVE
> >    alert_incomplete: ACTIVE
> >    alert_multiple_requests: ACTIVE
> > Portscan Detection Config:
> >    Detect Protocols:  TCP UDP ICMP IP
> >    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
> >    Sensitivity Level: Low
> >    Memcap (in bytes): 10000000
> >    Number of Nodes:   36900
> >
> > 5462 Snort rules read...
> > 5462 Option Chains linked into 210 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > Tagged Packet Limit: 256
> >
> > +-----------------------[thresholding-config]----------------------------------
> > | memory-cap : 1048576 bytes
> > +-----------------------[thresholding-global]----------------------------------
> > | none
> > +-----------------------[thresholding-local]-----------------------------------
> > | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
> > seconds=60
> > | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
> > seconds=10
> > | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5
> > seconds=2
> > | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5
> > seconds=2
> > | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5
> > seconds=2
> > | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5
> > seconds=2
> > | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10
> > seconds=60
> > | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10
> > seconds=60
> > | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5
> > seconds=2
> > | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5
> > seconds=60
> > +-----------------------[suppression]------------------------------------------
> > | none
> > -------------------------------------------------------------------------------
> > Rule application order: ->activation->dynamic->pass->drop->alert->log
> > Log directory = ./logs
> > Loading dynamic engine
> > /usr/local/lib/snort/dynamicengine/libsf_engine.so... done
> > Loading all dynamic preprocessor libs from
> > /usr/local/lib/snort/dynamicpreprocessor/...
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> > done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so...
> > done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
> >  Finished Loading all dynamic preprocessor libs from
> > /usr/local/lib/snort/dynamicpreprocessor/
> > FTPTelnet Config:
> >    GLOBAL CONFIG
> >      Inspection Type: stateful
> >      Check for Encrypted Traffic: YES alert: YES
> >      Continue to check encrypted data: NO
> >    TELNET CONFIG:
> >      Ports: 23
> >      Are You There Threshold: 200
> >      Normalize: YES
> >    FTP CONFIG:
> >      FTP Server: default
> >        Ports: 21
> >        Check for Telnet Cmds: YES alert: YES
> >        Identify open data channels: YES
> >      FTP Client: default
> >        Check for Bounce Attacks: YES alert: YES
> >        Check for Telnet Cmds: YES alert: YES
> >        Max Response Length: 256
> > SMTP Config:
> >      Ports: 25
> >      Inspection Type:            STATEFUL
> >      Normalize Spaces:           YES
> >      Ignore Data:                NO
> >      Ignore TLS Data:            NO
> >      Ignore Alerts:              NO
> >      Max Command Length:         0
> >      Max Header Line Length:     0
> >      Max Response Line Length:   0
> >      X-Link2State Alert:         YES
> >      Drop on X-Link2State Alert: NO
> > DNS config:
> >    DNS Client rdata txt Overflow Alert: ACTIVE
> >    Obsolete DNS RR Types Alert: INACTIVE
> >    Experimental DNS RR Types Alert: INACTIVE
> >    Ports: 53
> > Verifying Preprocessor Configurations!
> > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
> > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
> > Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
> > Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set
> > but not ever checked.
> >
> > Initializing Network Interface sis0
> > Var 'sis0_ADDRESS' defined, value len = 25 chars, value =
> > 10.100.10.0/255.255.255.0
> > Decoding Ethernet on interface sis0
> > Killed
> > [root at ...13955... /usr/local/etc/snort]#
> > ~~~~~~~~~~~~~ END snort snippet ~~~~~~~~~~~~~
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>




More information about the Snort-users mailing list