[Snort-users] Question

Martin Holste mcholste at ...11827...
Mon Jul 18 16:20:58 EDT 2011


And you get the same error trying to run snort when you leave the
environment variables off?

On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC)
<Nathan-Gibson at ...15095...> wrote:
> Mem:  12462404k total,   470188k used, 11992216k free,     1056k
>
>
> It shows I have 12GB
> -----Original Message-----
> From: Martin Holste [mailto:mcholste at ...11827...]
> Sent: Monday, July 18, 2011 12:10 PM
> To: Gibson, Nathan J. (HSC)
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Question
>
> That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory.  Are you sure you're not low in RAM for the box?  That might also be a product of using PCAP_MEMORY=6120.
> Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf settings control it).
>
> On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson at ...843.....15095...> wrote:
>> I have been running snort for over a year now. Nothing has changed in
>> my configuration (except new rules). I have been running the same rule
>> categories for a year. All of the sudden (about a month ago) snort
>> started randomly stopping with no apparent errors in the logs. The
>> only error I get is when I try to restart snort I get the following error.
>>
>>
>>
>> 7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1) -
>> can't mmap rx ring: Cannot allocate memory!
>>
>>
>>
>>
>>
>> As I said the only variable I have are the actual rules that are
>> updated from ET and Sourcefire. Could a rule be causing this?
>>
>>
>>
>> Here are the stats on my snort config:
>>
>>
>>
>>
>>
>>    ,,_     -*> Snort! <*-
>>
>>   o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>
>>            Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>
>>            Using libpcap version 1.1.1
>>
>>            Using PCRE version: 6.6 06-Feb-2006
>>
>>            Using ZLIB version: 1.2.3
>>
>>
>>
>>
>>
>> PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c
>> /etc/snort/snort.conf -i eth1 -D
>>
>>
>>
>>
>>
>> top - 09:41:21 up 2 days, 24 min,  1 user,  load average: 0.14, 0.24,
>> 0.22
>>
>> Tasks: 383 total,   1 running, 382 sleeping,   0 stopped,   0 zombie
>>
>> Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.6%id,  0.0%wa,  0.0%hi,  0.0%si,
>> 0.0%st
>>
>> Mem:  12462404k total,   470188k used, 11992216k free,     1056k
>> buffers
>>
>> Swap:  1020116k total,        0k used,  1020116k free,   260968k
>> cached
>>
>> ----------------------------------------------------------------------
>> -------- AppSumo Presents a FREE Video for the SourceForge Community
>> by Eric Ries, the creator of the Lean Startup Methodology on "Lean
>> Startup Secrets Revealed." This video shows you how to validate your
>> ideas, optimize your ideas and identify your business strategy.
>> http://p.sf.net/sfu/appsumosfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>




More information about the Snort-users mailing list