[Snort-users] Snort 2.6.0.2 (Build 85) - pfault

Joel Esler joel.esler at ...1935...
Fri Oct 20 14:57:18 EDT 2006


True, but much slower.

Read:  http://www.snort.org/docs/faq/3Q06/node86.html

Joel


Chris U wrote:
> Hi Snort Users,
> 
> I just wanted to say thanks for helping me out... It has come to my
> attention that Snort 2.6 consumes a vast amount of memory. [when
> compared to previous releases, 2.4.x]
> 
> My solution was to uncomment "config detection: search-method lowmem"
> 
> Snort *now* runs smoothly, consuming between 40-60 mb of ram.
> 
> Thanks again,
> Chris
> 
> On 10/19/06, rmkml <rmkml at ...953...> wrote:
>> Hi Chris,
>> snort26 use more memory and maybe freebsd vm killed snort process ...
>> what is on your log (syslog) ?
>> how memory you have ?
>> Regards
>> Rmkml
>>
>>
>>
>> On Thu, 19 Oct 2006, Chris U wrote:
>>
>>> Date: Thu, 19 Oct 2006 16:50:00 -1000
>>> From: Chris U <chris.uyehara at ...11827...>
>>> To: Snort-users at lists.sourceforge.net
>>> Subject: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault
>>>
>>> Hi Snort Users,
>>>
>>> I'm in need of some help... I am using FreeBSD 5.5 [Generic Kernel]. I
>>> installed Snort via ports. When I run snort with the following command
>>> line: "snort -i sis0 -v -c snort.conf -l ./logs" Snort trys to
>>> startup... what really happens... snort begins to consume RAM, once
>>> RAM has been fully consumed it consumes SWAP. Once SWAP is full, Snort
>>> will die and pfault - or so says top. I have included a snippet of
>>> output from top and snort. A nicely printed version is available at
>>> http://tinyurl.com/yxdekg
>>>
>>> Any help would be greatly appreciated!
>>>
>>> Mahalo,
>>> Chris
>>>
>>> ~~~~~~~~~~~~~ BEGIN top snippet ~~~~~~~~~~~~~
>>>  PID USERNAME PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
>>>  471 root     124    0   194M   193M RUN      0:38 93.03% 80.47% snort
>>>  440 root      96    0  2260K  1092K RUN      0:06  1.76%  1.76% top
>>> ~~~~~~~~~~~~~ END top snippet ~~~~~~~~~~~~~
>>>
>>> ~~~~~~~~~~~~~ BEGIN snort snippet ~~~~~~~~~~~~~
>>> [root at ...13955... /usr/local/etc/snort]# snort -i sis0 -v -c snort.conf -l ./logs
>>> Running in IDS mode
>>>
>>>        --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> -------------------------------------------------
>>> Keyword     |       Preprocessor @
>>> -------------------------------------------------
>>> rpc_decode   :       0x808ee34
>>> bo           :       0x808e190
>>> telnet_decode:       0x809bbc8
>>> stream4      :       0x8090820
>>> stream4_reassemble:       0x8091e2c
>>> stream4_external:       0x80918ec
>>> frag2        :       0x80a8134
>>> arpspoof     :       0x808d798
>>> arpspoof_detect_host:       0x808d8c0
>>> http_inspect :       0x80a1b70
>>> http_inspect_server:       0x80a1b70
>>> PerfMonitor  :       0x809c250
>>> flow         :       0x80a4e84
>>> flow-portscan:       0x80b27fc
>>> sfportscan   :       0x80a7370
>>> frag3_global :       0x80aa608
>>> frag3_engine :       0x80aa714
>>> -------------------------------------------------
>>>
>>> -------------------------------------------------
>>> Keyword     |      Plugin Registered @
>>> -------------------------------------------------
>>> content      :      0x8080ae0
>>> content-list :      0x8080a18
>>> offset       :      0x8080c30
>>> depth        :      0x8080d7c
>>> nocase       :      0x8080edc
>>> rawbytes     :      0x8080fd0
>>> regex        :      0x80812c4
>>> uricontent   :      0x8080b88
>>> distance     :      0x8081024
>>> within       :      0x8081174
>>> replace      :      0x807f160
>>> flags        :      0x8085544
>>> itype        :      0x807d340
>>> icode        :      0x807c928
>>> ttl          :      0x8086154
>>> id           :      0x807e140
>>> ack          :      0x8085370
>>> seq          :      0x8085c8c
>>> dsize        :      0x807c2d0
>>> ipopts       :      0x807eb50
>>> rpc          :      0x80844a8
>>> icmp_id      :      0x807ce10
>>> icmp_seq     :      0x807d0a8
>>> session      :      0x8084bdc
>>> tos          :      0x807e878
>>> fragbits     :      0x807d824
>>> fragoffset   :      0x807ddd8
>>> window       :      0x8085e3c
>>> ip_proto     :      0x807e380
>>> sameip       :      0x807e6fc
>>> flow         :      0x8086704
>>> byte_test    :      0x8086f24
>>> byte_jump    :      0x8087964
>>> isdataat     :      0x8088ec4
>>> pcre         :      0x8088390
>>> flowbits     :      0x80898d0
>>> asn1         :      0x808a604
>>> react        :      0x8082b20
>>> resp         :      0x8083a60
>>> ftpbounce    :      0x808acb0
>>> urilen       :      0x808b1c8
>>> -------------------------------------------------
>>>
>>> -------------------------------------------------
>>> Keyword     |          Output @
>>> -------------------------------------------------
>>> alert_syslog :       0x807449c
>>> log_tcpdump  :       0x8079254
>>> database     :       0x807647c
>>> alert_fast   :       0x80738c0
>>> alert_full   :       0x8073f30
>>> alert_unixsock:       0x8074f5c
>>> alert_CSV    :       0x807546c
>>> log_null     :       0x8079184
>>> log_unified  :       0x807af98
>>> alert_unified:       0x807acec
>>> unified      :       0x8079974
>>> log_ascii    :       0x807b83c
>>> -------------------------------------------------
>>>
>>> Parsing Rules file snort.conf
>>>
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Initializing rule chains...
>>> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
>>> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
>>> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
>>> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
>>> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
>>> Var 'AIM_SERVERS' defined, value len = 185 chars
>>>   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
>>>   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>> Var 'RULE_PATH' defined, value len = 7 chars, value = ./rules
>>> ,-----------[Flow Config]----------------------
>>> | Stats Interval:  0
>>> | Hash Method:     2
>>> | Memcap:          10485760
>>> | Rows  :          4099
>>> | Overhead Bytes:  16400(%0.16)
>>> `----------------------------------------------
>>> Frag3 global config:
>>>    Max frags: 65536
>>>    Fragment memory cap: 4194304 bytes
>>> Frag3 engine config:
>>>    Target-based policy: FIRST
>>>    Fragment timeout: 60 seconds
>>>    Fragment min_ttl:   1
>>>    Fragment ttl_limit: 5
>>>    Fragment Problems: 1
>>>    Bound Addresses: 0.0.0.0/0.0.0.0
>>> Stream4 config:
>>>    Stateful inspection: ACTIVE
>>>    Session statistics: INACTIVE
>>>    Session timeout: 30 seconds
>>>    Session memory cap: 8388608 bytes
>>>    Session count max: 8192 sessions
>>>    Session cleanup count: 5
>>>    State alerts: INACTIVE
>>>    Evasion alerts: INACTIVE
>>>    Scan alerts: INACTIVE
>>>    Log Flushed Streams: INACTIVE
>>>    MinTTL: 1
>>>    TTL Limit: 5
>>>    Async Link: 0
>>>    State Protection: 0
>>>    Self preservation threshold: 50
>>>    Self preservation period: 90
>>>    Suspend threshold: 200
>>>    Suspend period: 30
>>>    Enforce TCP State: INACTIVE
>>>    Midstream Drop Alerts: INACTIVE
>>>    Server Data Inspection Limit: -1
>>> WARNING snort.conf(408) => flush_behavior set in config file, using
>>> old static flushpoints (0)
>>> Stream4_reassemble config:
>>>    Server reassembly: INACTIVE
>>>    Client reassembly: ACTIVE
>>>    Reassembler alerts: ACTIVE
>>>    Zero out flushed packets: INACTIVE
>>>    Flush stream on alert: INACTIVE
>>>    flush_data_diff_size: 500
>>>    Reassembler Packet Preferance : Favor Old
>>>    Packet Sequence Overlap Limit: -1
>>>    Flush behavior: Small (<255 bytes)
>>>    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
>>>    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
>>> 513 1433 1521 3306
>>> HttpInspect Config:
>>>    GLOBAL CONFIG
>>>      Max Pipeline Requests:    0
>>>      Inspection Type:          STATELESS
>>>      Detect Proxy Usage:       NO
>>>      IIS Unicode Map Filename: ./unicode.map
>>>      IIS Unicode Map Codepage: 1252
>>>    DEFAULT SERVER CONFIG:
>>>      Ports: 80 8080 8180
>>>      Flow Depth: 300
>>>      Max Chunk Length: 500000
>>>      Inspect Pipeline Requests: YES
>>>      URI Discovery Strict Mode: NO
>>>      Allow Proxy Usage: NO
>>>      Disable Alerting: NO
>>>      Oversize Dir Length: 500
>>>      Only inspect URI: NO
>>>      Ascii: YES alert: NO
>>>      Double Decoding: YES alert: YES
>>>      %U Encoding: YES alert: YES
>>>      Bare Byte: YES alert: YES
>>>      Base36: OFF
>>>      UTF 8: OFF
>>>      IIS Unicode: YES alert: YES
>>>      Multiple Slash: YES alert: NO
>>>      IIS Backslash: YES alert: NO
>>>      Directory Traversal: YES alert: NO
>>>      Web Root Traversal: YES alert: YES
>>>      Apache WhiteSpace: YES alert: NO
>>>      IIS Delimiter: YES alert: NO
>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>      Non-RFC Compliant Characters: NONE
>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>> rpc_decode arguments:
>>>    Ports to decode RPC on: 111 32771
>>>    alert_fragments: INACTIVE
>>>    alert_large_fragments: ACTIVE
>>>    alert_incomplete: ACTIVE
>>>    alert_multiple_requests: ACTIVE
>>> Portscan Detection Config:
>>>    Detect Protocols:  TCP UDP ICMP IP
>>>    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
>>>    Sensitivity Level: Low
>>>    Memcap (in bytes): 10000000
>>>    Number of Nodes:   36900
>>>
>>> 5462 Snort rules read...
>>> 5462 Option Chains linked into 210 Chain Headers
>>> 0 Dynamic rules
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>> Tagged Packet Limit: 256
>>>
>>> +-----------------------[thresholding-config]----------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[thresholding-global]----------------------------------
>>> | none
>>> +-----------------------[thresholding-local]-----------------------------------
>>> | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
>>> seconds=60
>>> | gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
>>> seconds=10
>>> | gen-id=1      sig-id=3152       type=Threshold tracking=src count=5
>>> seconds=2
>>> | gen-id=1      sig-id=3273       type=Threshold tracking=src count=5
>>> seconds=2
>>> | gen-id=1      sig-id=3543       type=Threshold tracking=src count=5
>>> seconds=2
>>> | gen-id=1      sig-id=4984       type=Threshold tracking=src count=5
>>> seconds=2
>>> | gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10
>>> seconds=60
>>> | gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10
>>> seconds=60
>>> | gen-id=1      sig-id=3542       type=Threshold tracking=src count=5
>>> seconds=2
>>> | gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5
>>> seconds=60
>>> +-----------------------[suppression]------------------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>> Rule application order: ->activation->dynamic->pass->drop->alert->log
>>> Log directory = ./logs
>>> Loading dynamic engine
>>> /usr/local/lib/snort/dynamicengine/libsf_engine.so... done
>>> Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort/dynamicpreprocessor/...
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
>>>  Finished Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort/dynamicpreprocessor/
>>> FTPTelnet Config:
>>>    GLOBAL CONFIG
>>>      Inspection Type: stateful
>>>      Check for Encrypted Traffic: YES alert: YES
>>>      Continue to check encrypted data: NO
>>>    TELNET CONFIG:
>>>      Ports: 23
>>>      Are You There Threshold: 200
>>>      Normalize: YES
>>>    FTP CONFIG:
>>>      FTP Server: default
>>>        Ports: 21
>>>        Check for Telnet Cmds: YES alert: YES
>>>        Identify open data channels: YES
>>>      FTP Client: default
>>>        Check for Bounce Attacks: YES alert: YES
>>>        Check for Telnet Cmds: YES alert: YES
>>>        Max Response Length: 256
>>> SMTP Config:
>>>      Ports: 25
>>>      Inspection Type:            STATEFUL
>>>      Normalize Spaces:           YES
>>>      Ignore Data:                NO
>>>      Ignore TLS Data:            NO
>>>      Ignore Alerts:              NO
>>>      Max Command Length:         0
>>>      Max Header Line Length:     0
>>>      Max Response Line Length:   0
>>>      X-Link2State Alert:         YES
>>>      Drop on X-Link2State Alert: NO
>>> DNS config:
>>>    DNS Client rdata txt Overflow Alert: ACTIVE
>>>    Obsolete DNS RR Types Alert: INACTIVE
>>>    Experimental DNS RR Types Alert: INACTIVE
>>>    Ports: 53
>>> Verifying Preprocessor Configurations!
>>> Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
>>> Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
>>> Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
>>> Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set
>>> but not ever checked.
>>>
>>> Initializing Network Interface sis0
>>> Var 'sis0_ADDRESS' defined, value len = 25 chars, value =
>>> 10.100.10.0/255.255.255.0
>>> Decoding Ethernet on interface sis0
>>> Killed
>>> [root at ...13955... /usr/local/etc/snort]#
>>> ~~~~~~~~~~~~~ END snort snippet ~~~~~~~~~~~~~
>>>
>>> -------------------------------------------------------------------------
>>> Using Tomcat but need to do more? Need to support web services, security?
>>> Get stuff done quickly with pre-integrated technology to make your job easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
+---------------------------------------------------------------------+
Joel Esler  	     Senior Security Consultant 	1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
AIM: eslerjoel		Gtalk: eslerj		Yahoo: eslerjoel
+---------------------------------------------------------------------+




More information about the Snort-users mailing list