Thu Nov 23 16:36:19 EST 2017
kernel will use, then on top of that, add on what 2 instances of snort will
use. With your 'default' configs, stream4 allocates 8mb per instance, leaving
only 16mb for the OS, Firewall, and rest of snort to use.
> I have almost the default configuration (see below) and I use these two
> command lines:
> /usr/local/bin/snort -c /usr/local/etc/snort/snort-hp.conf -A fast -i xl0 -D
> /usr/local/bin/snort -dvi xl0 -D -b
If you are using -b you do not need to ever use -v or -d. You're telling it
to log each packet to STDOUT and decode the packets while logging to binary.
Binary logging logs the full packet for later readback and examination. I'd
suggest changing that to "-i xl0 -D -b" instead.
> if I do a full portsscan of the honeypot from a workstation within my lan, the fw crashes and reboots
> the message displayed is:
> panic: malloc: out of space in kmem_map
> my questions are:
> 1- is it possible to have a dump of _all_ the traffic and not just logged
> packets PLUS "real time" alerts with a single snort process?
Sure. Add a "log any" rule to the .conf for the honeypot. Better yet, go and
check out Lance Spitzers config for honeypots at:
> 2- is my problem a known problem and if yes, what is the workaround if any?
No, not known. Seems to be your setup.
> 3- is it a snort issue or an openbsd issue?
I'm guessing it's hardware. I'd guess there's just not enough memory left on
the box to keep track of all the streams of data coming in and reassemble them
Hope that helps!
More information about the Snort-users