Gibson, Nathan J. (HSC)
Nathan-Gibson at ...15095...
Mon Jul 25 10:37:27 EDT 2011
Good info. I am running in AC. For now I am running without the buffers. I'll take the packet loss over having snort stop running. I guess I will reevaluate my rule set to get that trimmed up.....until snort can multi thread....God I can't wait until that.
config detection: search-method ac search-optimize
preprocessor frag3_global: max_frags 75536, memcap 143654912
preprocessor stream5_global: memcap 134217728, max_tcp 1048576, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5,
Thanks again for all your help!
From: Martin Holste [mailto:mcholste at ...11827...]
Sent: Saturday, July 23, 2011 12:19 AM
To: Gibson, Nathan J. (HSC)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question
Ring buffer memory is only a buffer, and a buffer will eventually fail if the CPU cannot keep up the traffic. No matter how large the buffer, eventually it will run out because it's in a losing game. A large buffer just buys you a few seconds before the packet loss. One thing a lot of RAM will get you is the ability to run ac for your pattern matching engine instead of ac-split. That will increase performance and might let your CPU keep up.
> 1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss. However the snort process just "disappears/stops after 24 hours" with no logs as to why.
Sounds like a cron job is killing it.
> 2. When I start without the variables Snort is stable but I get an average of 25% packet loss.
As I understand it, PF_RING won't use those variables anyway. To get a look, cat /proc/net/pf_ring/<file for snort pid> which should give you the best numbers.
> Again I have 12GB of memory on this R710. I can't image why its running out of memory. And the fact that its been running fine for a year is what's killing me. It has to be a rule causing this.
> 7/18/2011 9:33 AM : snort: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory!
> PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c
> /etc/snort/snort.conf -i eth1 -D
I don't think it's actually running out of memory or can't allocate it, I think it's a different problem. What are your daq config variables?
More information about the Snort-users