[Snort-users] problem running snort 2.9.4 against a bridge interface (br0)

Tony Robinson deusexmachina667 at ...11827...
Sat Dec 15 11:49:51 EST 2012

I've narrowed down the problem. It seems that this problem only occurs when
I specify the -D command option to Daemonize snort.

running snort against br0 as root or the snort user using my snort.conf
works perfectly fine, but the moment I go to daemonize it, it doesn't want
to fork a child process for snort.

On Sat, Dec 15, 2012 at 12:35 AM, Tony Robinson
<deusexmachina667 at ...11827...>wrote:

> I know that daq afpacket can handle bridging interfaces, but you should
> still be able to run snort against a bridge interface in 2.9.4? Or was that
> something I missed in the release notes?
> I'm running into a problem where snort was failing to start and failing to
> write to Syslog. Undaunted, I attempt to start snort manually with the
> following command syntax:
> /usr/local/snort/bin/snort -D -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i br0 (bro is bridging eth1 and eth2)
> ..and I end up with the following error after the system tells me that it
> made a process for snort:
> Spawning daemon child...
> fork: Cannot allocate memory
> I did google-fu this error before coming here and most articles seem to
> point towards "not enough memory on system" or "are you on a VPS?"
> -System is running in a virtual machine (ESXi 5.0.0)
> -System is running on Ubuntu 12.04 64-bit with 1gb of memory (virtual
> machine)
> -System had 800mb+ of free memory when command execution begins (running
> "watch free -m")
> -Drops down to 300mb of free memory before getting the error above and
> just giving up on starting or writing to the log or spawning the process
> (again, "watch free -m"), still plenty of memory for it to try to claim
> -the last lines in the log are:
> CG snort[1448]: pcap DAQ configured to passive.
> CG snort[1448]: Acquiring network traffic from "br0".
> CG snort[1448]: Initializing daemon mode
> ..then nothing else from snort in the logs. No warns, no FATALs, nothing.
> -ran ulimit -a for the root user and the snort user to verify that I'm not
> putting any artificial resource limits on the snort user or root user. both
> snort and the root user have access to "unlimited" resources.
> I'm at a loss as to why this is happening. Just to ensure that the problem
> wasn't with me trying to run snort against a bridge interface, I configured
> snort to run against eth1 instead, resulting in the same error. This
> problem also occurs after a reboot (I rebooted the box because some windows
> habits die hard.)
> I have an strace on my system from running this command, but wanted to
> post here to see if maybe this was a known bug, issue, or if this is even
> an issue/bug at all and I'm just 'doing it wrong' before bothering to post
> it.
> OS: ESXi 5.0.0
> VM: Ubuntu 12.04 64-bit
> Snort 2.9.4 (text rules from 2931 registered users snapshot; configured
> via pulled pork (security ruleset); NO SO rules enabled(pp with -T option);
> compiled with --prefix=/usr/local/snort --enable-sourcefire and no other
> options)
> I have another Ubuntu 12.04 vm (32-bit) configured to listen against eth1
> and do not experience this problem at all.
> Any ideas?
> DA
> --
> when does reality end? when does fantasy begin?

when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121215/9a0b5589/attachment.html>

More information about the Snort-users mailing list