[Snort-users] how does sniffing use memory?

Jason Haar Jason_Haar at ...15306...
Tue Sep 10 00:20:03 EDT 2013

Hi there

We have a snort box that has daemonlogger running on it as well as
snort. It was crashing via

27982 setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER,
"\3\r\202H\377\177\0\0000tp\0\0\0\0\0", 16) = -1 ENOMEM (Cannot allocate
27982 setsockopt(3, SOL_SOCKET, SO_DETACH_FILTER, [0], 4) = 0
27982 write(2, "Warning: Kernel filter failed: C"..., 54) = 54

This is a CentOS-6 64bit system with 4G RAM. I know that's not much, but
there's no swapping. There is a BPF filter - but I tried it with no
filter and it crashed too

We also have other identical boxes that don't show this symptom. I just
know that if I reboot this problem will be magically "solved" - but that
is obviously not a real solution

Can someone explain to me just what is behind this issue, as I need to
be able to figure out just which of our boxes are "underspec'ed"



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list