Re: [Snort-users] snort: FATAL ERROR: Unable to allocate memory!

Hi all....

ok...now i have detect what the problem is...
actually, i added bleeding snort rules instead of having normal snort
rules...
maybe the memory is not enough to process all the rules...because the
sensor is located at very busy subnet...
when i disable the bleeding snort rules, the snort on the openbsd box
run smoothly....
but, i have another openbsd box (same spec as another box) running snort
with bleeding snort rules...but not in busy subnet and it can run well...
btw, thanx to all of u who spend your precious time hellping me... :)
happy new year guys....

p/s: sorry for the bad english...

Alex Kirk wrote:

> Zulkurnain,
>
> Well, judging from what you've posted of dmesg and /var/log/all.log,
> it's pretty obvious that you've got plenty of memory for Snort to be
> running in, and that you've got at least some of the basics properly
> configured (i.e. Snort will run for at least a little while).
>
> Given this, I'd suggest looking into what Prabu had suggested (my
> apologies if that's your last name or if I've otherwise mangled it);
> that sounds like a likely candidate for the source of your problem.
> Additionally, you'll want to make sure you've properly configured your
> $HOME_NET and $EXTERNAL_NET variables, so that Snort can look at only
> packets that are relevant instead of all of them (not setting these
> two is an excellent way to chew up large chunks of memory); also, you
> may want to disable rules that aren't relevant to your network, i.e.
> oracle.rules if you've not got any Oracle servers.
>
> Alex Kirk
> Research Analyst
> Sourcefire. Inc.
>
>> Alex Kirk wrote:
>>
>>>
>>> * dmesg for the boxes this is occuring on (perhaps they just simply
>>> don't have enough RAM to cope with what you're trying to do, there's
>>> a driver problem, etc.)
>>
>>
>>
>> dmesg | more ..... i just add some more memory to the box...i also
>> paste error message from /var/log/all.log (below).... if anybody
>> know what is going wrong, pls let me know...
>> -------------------
>> OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004
>> deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>> cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache)
>> 449 MHz
>> cpu0:
>> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MC A,CMOV,PAT,PSE36,SER,MMX
>>
>> ,FXSR,SSE
>> cpu0: disabling processor serial number
>> real mem = 402227200 (392800K)
>> avail mem = 366387200 (357800K)
>> using 4278 buffers containing 20213760 bytes (19740K) of memory
>> mainbus0 (root)
>> bios0 at mainbus0: AT/286+(b7) BIOS, date 05/19/99, BIOS32 rev. 0 @
>> 0xfd7a0
>> apm0 at bios0: Power Management spec V1.2
>> apm0: AC on, battery charge unknown
>> pcibios0 at bios0: rev. 2.1 @ 0xfd7a0/0x860
>> pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdf30/176 (9 entries)
>> pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev
>> 0x00)
>> pcibios0: PCI bus #1 is the last bus
>> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4800 0xe0000/0x4000!
>> 0xe4000/0xc000
>> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
>> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
>> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
>> -------------------------
>>
>>>
>>> * All the messages from /var/log/message surrounding this error (in
>>> case there are other things which are leading up to this problem)
>>
>>
>>
>> tail from /var/log/all.log...snort only running about 30 minutes...
>> -------------
>> Dec 20 09:54:56 ids1 snort: [1:553:7] POLICY FTP anonymous login
>> attempt [Classification: Misc activity] [Priority: 3]: <fxp0> {TCP}
>> 217.196.121.21:3117 -> xxx.xxx.xxx.xxx:21
>> Dec 20 09:55:56 ids1 snort: [1:2003:7] MS-SQL Worm propagation
>> attempt [Classification: Misc Attack] [Priority: 2]: <fxp0> {UDP}
>> 61.156.8.111:1240 -> xxx.xxx.xxx.xxx:1434
>> Dec 20 09:55:56 ids1 snort: FATAL ERROR: Unable to allocate memory!
>> (8193 requested)
>> Dec 20 10:00:01 ids1 cron[4705]: (root) CMD (/usr/bin/newsyslog)
>> Dec 20 10:00:01 ids1 cron[6273]: (root) CMD (/usr/sbin/sendmail -L
>> sm-msp-queue -Ac -q)
>> -------------------------------
>>
>>>
>>>
>>> I can't guarantee I can solve this, but I'd be happy to give it a shot.
>>>
>>> Alex Kirk
>>> Research Analyst
>>> Sourcefire, Inc.
>>>
>>> [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
>>>
>>
>

--
zul
-- Anything without choice are something that cannot be choosen. --
http://pgp.mit.edu:11371/pks/lookup?...rch=0xA0551B32
Key fingerprint = 28E4 8465 A65B 7CEC 4A4E 138F 26A3 9AA2 A055 1B32




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users