[Snort-users] Question

Gibson, Nathan J. (HSC) Nathan-Gibson at ...15095...
Fri Jul 22 11:30:28 EDT 2011


Thanks. I always thought the more memory you allocate to snort the less the packet loss.  

1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss.  However the snort process just "disappears/stops after 24 hours" with no logs as to why. 
2. When I start without the variables Snort is stable but I get an average of 25% packet loss. 

Again I have 12GB of memory on this R710. I can't image why its running out of memory.  And the fact that its been running fine for a year is what's killing me. It has to be a rule causing this. 

7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory!

PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D



-----Original Message-----
From: Martin Holste [mailto:mcholste at ...11827...] 
Sent: Thursday, July 21, 2011 11:11 AM
To: Gibson, Nathan J. (HSC)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question

The packet loss is a separate tuning issue.  That probably means things are working.  Run Snort configured with just a few rules that hit often to test it and look at your packet loss then.  If you are monitoring more than a few hundred MB/sec and you are running more than 1000 rules, I guarantee you will be dropping packets.

On Thu, Jul 21, 2011 at 10:53 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson at ...846....15095...> wrote:
> I reboot weekly.  No I don't get the errors when I remove the environment variables but I get tremendous packet loss.
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste at ...11827...]
> Sent: Monday, July 18, 2011 3:21 PM
> To: Gibson, Nathan J. (HSC)
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Question
>
> And you get the same error trying to run snort when you leave the environment variables off?
>
> On Mon, Jul 18, 2011 at 2:48 PM, Gibson, Nathan J. (HSC) <Nathan-Gibson at ...843.....15095...> wrote:
>> Mem:  12462404k total,   470188k used, 11992216k free,     1056k
>>
>>
>> It shows I have 12GB
>> -----Original Message-----
>> From: Martin Holste [mailto:mcholste at ...11827...]
>> Sent: Monday, July 18, 2011 12:10 PM
>> To: Gibson, Nathan J. (HSC)
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Question
>>
>> That error message indicates the box doesn't have enough RAM for PF_RING to allocate its memory.  Are you sure you're not low in RAM for the box?  That might also be a product of using PCAP_MEMORY=6120.
>> Try removing the environment variables as they shouldn't be needed anyway when using PF_RING (as the modprobe.conf settings control it).
>>
>> On Mon, Jul 18, 2011 at 9:42 AM, Gibson, Nathan J. (HSC) <Nathan-Gibson at ...15095...> wrote:
>>> I have been running snort for over a year now. Nothing has changed 
>>> in my configuration (except new rules). I have been running the same 
>>> rule categories for a year. All of the sudden (about a month ago) 
>>> snort started randomly stopping with no apparent errors in the logs.
>>> The only error I get is when I try to restart snort I get the following error.
>>>
>>>
>>>
>>> 7/18/2011 9:33 AM :   snort[7491]: FATAL ERROR: Can't start DAQ (-1)
>>> - can't mmap rx ring: Cannot allocate memory!
>>>
>>>
>>>
>>>
>>>
>>> As I said the only variable I have are the actual rules that are 
>>> updated from ET and Sourcefire. Could a rule be causing this?
>>>
>>>
>>>
>>> Here are the stats on my snort config:
>>>
>>>
>>>
>>>
>>>
>>>    ,,_     -*> Snort! <*-
>>>
>>>   o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>>
>>>    ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>
>>>            Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>>
>>>            Using libpcap version 1.1.1
>>>
>>>            Using PCRE version: 6.6 06-Feb-2006
>>>
>>>            Using ZLIB version: 1.2.3
>>>
>>>
>>>
>>>
>>>
>>> PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c 
>>> /etc/snort/snort.conf -i eth1 -D
>>>
>>>
>>>
>>>
>>>
>>> top - 09:41:21 up 2 days, 24 min,  1 user,  load average: 0.14, 
>>> 0.24,
>>> 0.22
>>>
>>> Tasks: 383 total,   1 running, 382 sleeping,   0 stopped,   0 zombie
>>>
>>> Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.6%id,  0.0%wa,  0.0%hi, 
>>> 0.0%si, 0.0%st
>>>
>>> Mem:  12462404k total,   470188k used, 11992216k free,     1056k 
>>> buffers
>>>
>>> Swap:  1020116k total,        0k used,  1020116k free,   260968k 
>>> cached
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> -------- AppSumo Presents a FREE Video for the SourceForge Community 
>>> by Eric Ries, the creator of the Lean Startup Methodology on "Lean 
>>> Startup Secrets Revealed." This video shows you how to validate your 
>>> ideas, optimize your ideas and identify your business strategy.
>>> http://p.sf.net/sfu/appsumosfdev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>>>
>>
>




More information about the Snort-users mailing list