[Snort-users] problem running snort 2.9.4 against a bridge interface (br0)

Tony Robinson deusexmachina667 at ...11827...
Sat Dec 15 19:09:11 EST 2012

Figured it out. This was a layer 8 problem. Apparently I never configured a
swap partition on my vm... even though the vm had free memory,  I added a
swap partition and everything is working fine.
On Dec 15, 2012 11:49 AM, "Tony Robinson" <deusexmachina667 at ...11827...>

> I've narrowed down the problem. It seems that this problem only occurs
> when I specify the -D command option to Daemonize snort.
> running snort against br0 as root or the snort user using my snort.conf
> works perfectly fine, but the moment I go to daemonize it, it doesn't want
> to fork a child process for snort.
> On Sat, Dec 15, 2012 at 12:35 AM, Tony Robinson <
> deusexmachina667 at ...11827...> wrote:
>> I know that daq afpacket can handle bridging interfaces, but you should
>> still be able to run snort against a bridge interface in 2.9.4? Or was that
>> something I missed in the release notes?
>> I'm running into a problem where snort was failing to start and failing
>> to write to Syslog. Undaunted, I attempt to start snort manually with the
>> following command syntax:
>> /usr/local/snort/bin/snort -D -u snort -g snort -c
>> /usr/local/snort/etc/snort.conf -i br0 (bro is bridging eth1 and eth2)
>> ..and I end up with the following error after the system tells me that it
>> made a process for snort:
>> Spawning daemon child...
>> fork: Cannot allocate memory
>> I did google-fu this error before coming here and most articles seem to
>> point towards "not enough memory on system" or "are you on a VPS?"
>> -System is running in a virtual machine (ESXi 5.0.0)
>> -System is running on Ubuntu 12.04 64-bit with 1gb of memory (virtual
>> machine)
>> -System had 800mb+ of free memory when command execution begins (running
>> "watch free -m")
>> -Drops down to 300mb of free memory before getting the error above and
>> just giving up on starting or writing to the log or spawning the process
>> (again, "watch free -m"), still plenty of memory for it to try to claim
>> -the last lines in the log are:
>> CG snort[1448]: pcap DAQ configured to passive.
>> CG snort[1448]: Acquiring network traffic from "br0".
>> CG snort[1448]: Initializing daemon mode
>> ..then nothing else from snort in the logs. No warns, no FATALs, nothing.
>> -ran ulimit -a for the root user and the snort user to verify that I'm
>> not putting any artificial resource limits on the snort user or root user.
>> both snort and the root user have access to "unlimited" resources.
>> I'm at a loss as to why this is happening. Just to ensure that the
>> problem wasn't with me trying to run snort against a bridge interface, I
>> configured snort to run against eth1 instead, resulting in the same error.
>> This problem also occurs after a reboot (I rebooted the box because some
>> windows habits die hard.)
>> I have an strace on my system from running this command, but wanted to
>> post here to see if maybe this was a known bug, issue, or if this is even
>> an issue/bug at all and I'm just 'doing it wrong' before bothering to post
>> it.
>> OS: ESXi 5.0.0
>> VM: Ubuntu 12.04 64-bit
>> Snort 2.9.4 (text rules from 2931 registered users snapshot; configured
>> via pulled pork (security ruleset); NO SO rules enabled(pp with -T option);
>> compiled with --prefix=/usr/local/snort --enable-sourcefire and no other
>> options)
>> I have another Ubuntu 12.04 vm (32-bit) configured to listen against eth1
>> and do not experience this problem at all.
>> Any ideas?
>> DA
>> --
>> when does reality end? when does fantasy begin?
> --
> when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121215/b8f4174d/attachment.html>

More information about the Snort-users mailing list