mailing list archives
Snort invoked oom-killer
From: Y M <snort () outlook com>
Date: Tue, 7 May 2013 07:45:49 +0000
The other day I ran into this issue where the sensor box crashed while I was tailing with a message like "snort invoked
oom-killer". This was partially caused by myself as I mistakenly forgot that an existing Snort process is already
running, and initiated a new process (without the proper settings for running multiple Snort instances) in another ssh
That said, I do not believe this was caused by Snort itself. However, I have never experienced this behavior before.
Here are the details.
I was baselining a Snort sensor to be deployed in inline mode; tweaking Snort configurations to find the the most
appropriate configurations for the scenario/network the sensor is being deployed for. I usually use an x64 OS, however
since this box (server) is an old one, it only takes an x86 OS.
Briefly, the sensor specs:-OS: Ubuntu 12.04 x86, 3.2.0-40-generic-pae-CPU: 2x Xeon 2.8 GHz-RAM: 6GB-NICs: 4 NICs; 2
Intel 82545GM Gigabit Ethernet Controller, and 2 NetXtreme BCM5701 Gigabit Ethernet. The NetXtreme ones are being used
Snort wise:-Snort version: 188.8.131.52 GRE (Build 73)-DAQ version: 2.0.0; afpacket being used.-Enabled rules: 30 rules
only.-Enabled preprocessors: normalize, frag3, http_inspect, dcerpc2, the other preprocessors are disabled/commented.
Minor configuration changes (memcap, max_gzip_mem, server_flow_depth, client_flow_depth, etc.)
I tracked down the issue (i guess) to be caused by the DAQ buffer size (buffer_size_mb). Given how the actual memory is
allocated for the DAQ buffer size as explained in the DAQ readme file, i came to the following conclusion:
if daq_var: buffer_size_mb > 640 MB (total/actual allocated memory passes 1GB), the machine freezes.if daq_var:
buffer_size_mb <= 640 MB (total/actual allocated memory remains under 1 GB), everything goes smoothly.
I have witnessed this behavior on an x86 OS only (I had other x64 boxes freeze twice only, but could not find why and
lets leave it for now). I tested a VM with 4GB of RAM only, daq_var: buffer_size_mb=1024, with the same configurations
and running 8 instances of Snort and it worked as expected. The only difference was that the server edition was an x64
version of Ubuntu.
My question is, are there any limitations to the DAQ buffer size under an x86 OS and not an x64 OS? Is this only bound
to the hardware I am using?
Sorry for the lengthy email. Thanks.YM
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Snort invoked oom-killer Y M (May 07)