Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Y M (snortoutlook.com)
Date: Tue May 07 2013 - 02:45:49 CDT
The other day I ran into this issue where the sensor box crashed while I was tailing with a message like "snort invoked oom-killer". This was partially caused by myself as I mistakenly forgot that an existing Snort process is already running, and initiated a new process (without the proper settings for running multiple Snort instances) in another ssh session.
That said, I do not believe this was caused by Snort itself. However, I have never experienced this behavior before. Here are the details.
I was baselining a Snort sensor to be deployed in inline mode; tweaking Snort configurations to find the the most appropriate configurations for the scenario/network the sensor is being deployed for. I usually use an x64 OS, however since this box (server) is an old one, it only takes an x86 OS.
Briefly, the sensor specs:-OS: Ubuntu 12.04 x86, 3.2.0-40-generic-pae-CPU: 2x Xeon 2.8 GHz-RAM: 6GB-NICs: 4 NICs; 2 Intel 82545GM Gigabit Ethernet Controller, and 2 NetXtreme BCM5701 Gigabit Ethernet. The NetXtreme ones are being used for Snort.
Snort wise:-Snort version: 188.8.131.52 GRE (Build 73)-DAQ version: 2.0.0; afpacket being used.-Enabled rules: 30 rules only.-Enabled preprocessors: normalize, frag3, http_inspect, dcerpc2, the other preprocessors are disabled/commented. Minor configuration changes (memcap, max_gzip_mem, server_flow_depth, client_flow_depth, etc.)
I tracked down the issue (i guess) to be caused by the DAQ buffer size (buffer_size_mb). Given how the actual memory is allocated for the DAQ buffer size as explained in the DAQ readme file, i came to the following conclusion:
if daq_var: buffer_size_mb > 640 MB (total/actual allocated memory passes 1GB), the machine freezes.if daq_var: buffer_size_mb <= 640 MB (total/actual allocated memory remains under 1 GB), everything goes smoothly.
I have witnessed this behavior on an x86 OS only (I had other x64 boxes freeze twice only, but could not find why and lets leave it for now). I tested a VM with 4GB of RAM only, daq_var: buffer_size_mb=1024, with the same configurations and running 8 instances of Snort and it worked as expected. The only difference was that the server edition was an x64 version of Ubuntu.
My question is, are there any limitations to the DAQ buffer size under an x86 OS and not an x64 OS? Is this only bound to the hardware I am using?
Sorry for the lengthy email. Thanks.YM
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!