[Snort-users] Lowmem issue

Y M snort at ...15979...
Mon Feb 6 12:48:21 EST 2017


Admittedly, I haven't seen this one before. But, are you running the native daq or some other layer, like pf_ring daq? I have seen similar messages when Snort is already running (with pf_ring) and starting new instances of Snort could lead to similar messages because daq is already "allocated/occupied". I could be totally off here.

YM


________________________________
From: James Lay <jlay at ...13475...>
Sent: Monday, February 6, 2017 6:51:53 PM
To: Snort
Subject: [Snort-users] Lowmem issue

Been seeing these as of late:

Feb  6 15:05:46 snort[21636]: FATAL ERROR: Can't start DAQ (-1) - eth0:
Couldn't allocate enough memory for the kernel packet ring!!

free -lm:

              total       used       free     shared    buffers
cached
Mem:         12012      11281        730       1207         38
5599
Low:         12012      11281        730
High:            0          0          0
-/+ buffers/cache:       5642       6369
Swap:         5235       1192       4043


Not sure where to check...memorywise I'm running with:

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len
20
config event_queue: max_queue 8 log 3 order_events content_length
config paf_max: 16000

Any thoughts would be awesome...thank you.

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170206/0761ec55/attachment.html>


More information about the Snort-users mailing list