[Snort-users] Lowmem issue

James Lay jlay at ...13475...
Mon Feb 6 10:51:53 EST 2017


Been seeing these as of late:

Feb  6 15:05:46 snort[21636]: FATAL ERROR: Can't start DAQ (-1) - eth0: 
Couldn't allocate enough memory for the kernel packet ring!!

free -lm:

              total       used       free     shared    buffers     
cached
Mem:         12012      11281        730       1207         38       
5599
Low:         12012      11281        730
High:            0          0          0
-/+ buffers/cache:       5642       6369
Swap:         5235       1192       4043


Not sure where to check...memorywise I'm running with:

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len 
20
config event_queue: max_queue 8 log 3 order_events content_length
config paf_max: 16000

Any thoughts would be awesome...thank you.

James




More information about the Snort-users mailing list