[Snort-users] Lowmem issue

James Lay jlay at ...13475...
Mon Feb 6 12:56:36 EST 2017


Currently just using afpacket.  Thanks as always YM!

James

On 2017-02-06 10:48, Y M wrote:
> Admittedly, I haven't seen this one before. But, are you running the
> native daq or some other layer, like pf_ring daq? I have seen similar
> messages when Snort is already running (with pf_ring) and starting new
> instances of Snort could lead to similar messages because daq is
> already "allocated/occupied". I could be totally off here.
> 
> YM
> 
> -------------------------
> 
> FROM: James Lay <jlay at ...13475...>
> SENT: Monday, February 6, 2017 6:51:53 PM
> TO: Snort
> SUBJECT: [Snort-users] Lowmem issue
> 
> Been seeing these as of late:
> 
> Feb  6 15:05:46 snort[21636]: FATAL ERROR: Can't start DAQ (-1) -
> eth0:
> Couldn't allocate enough memory for the kernel packet ring!!
> 
> free -lm:
> 
>               total       used       free     shared    buffers
> cached
> Mem:         12012      11281        730       1207         38
> 5599
> Low:         12012      11281        730
> High:            0          0          0
> -/+ buffers/cache:       5642       6369
> Swap:         5235       1192       4043
> 
> Not sure where to check...memorywise I'm running with:
> 
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
> config checksum_mode: all
> config pcre_match_limit: 3500
> config pcre_match_limit_recursion: 1500
> config detection: search-method ac-split search-optimize
> max-pattern-len
> 20
> config event_queue: max_queue 8 log 3 order_events content_length
> config paf_max: 16000
> 
> Any thoughts would be awesome...thank you.
> 
> James
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list