Home page logo
/

snort logo Snort mailing list archives

Snort invoked oom-killer
From: Y M <snort () outlook com>
Date: Tue, 7 May 2013 07:45:49 +0000

The other day I ran into this issue where the sensor box crashed while I was tailing with a message like "snort invoked 
oom-killer". This was partially caused by myself as I mistakenly forgot that an existing Snort process is already 
running, and initiated a new process (without the proper settings for running multiple Snort instances) in another ssh 
session.
That said, I do not believe this was caused by Snort itself. However, I have never experienced this behavior before. 
Here are the details.
I was baselining a Snort sensor to be deployed in inline mode; tweaking Snort configurations to find the the most 
appropriate configurations for the scenario/network the sensor is being deployed for. I usually use an x64 OS, however 
since this box (server) is an old one, it only takes an x86 OS.
Briefly, the sensor specs:-OS: Ubuntu 12.04 x86, 3.2.0-40-generic-pae-CPU: 2x Xeon 2.8 GHz-RAM: 6GB-NICs: 4 NICs; 2 
Intel 82545GM Gigabit Ethernet Controller, and 2 NetXtreme BCM5701 Gigabit Ethernet. The NetXtreme ones are being used 
for Snort.
Snort wise:-Snort version: 2.9.4.6 GRE (Build 73)-DAQ version: 2.0.0; afpacket being used.-Enabled rules: 30 rules 
only.-Enabled preprocessors: normalize, frag3, http_inspect, dcerpc2, the other preprocessors are disabled/commented. 
Minor configuration changes (memcap, max_gzip_mem, server_flow_depth, client_flow_depth, etc.)
I tracked down the issue (i guess) to be caused by the DAQ buffer size (buffer_size_mb). Given how the actual memory is 
allocated for the DAQ buffer size as explained in the DAQ readme file, i came to the following conclusion:
if daq_var: buffer_size_mb > 640 MB (total/actual allocated memory passes 1GB), the machine freezes.if daq_var: 
buffer_size_mb <= 640 MB (total/actual allocated memory remains under 1 GB), everything goes smoothly.
I have witnessed this behavior on an x86 OS only (I had other x64 boxes freeze twice only, but could not find why and 
lets leave it for now). I tested a VM with 4GB of RAM only, daq_var: buffer_size_mb=1024, with the same configurations 
and running 8 instances of Snort and it worked as expected. The only difference was that the server edition was an x64 
version of Ubuntu.
My question is, are there any limitations to the DAQ buffer size under an x86 OS and not an x64 OS? Is this only bound 
to the hardware I am using?
Sorry for the lengthy email. Thanks.YM                                    
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • Snort invoked oom-killer Y M (May 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]