Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault

from [Chris U] Network Security [Permanent Link]
Subject: Re: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault
Date: Thu, 19 Oct 2006 22:37:54 -1000 
Hi Snort Users,

I just wanted to say thanks for helping me out... It has come to my
attention that Snort 2.6 consumes a vast amount of memory. [when
compared to previous releases, 2.4.x]

My solution was to uncomment "config detection: search-method lowmem"

Snort *now* runs smoothly, consuming between 40-60 mb of ram.

Thanks again,
Chris

On 10/19/06, rmkml <rmkml@free.fr> wrote:

Hi Chris,
snort26 use more memory and maybe freebsd vm killed snort process ...
what is on your log (syslog) ?
how memory you have ?
Regards
Rmkml



On Thu, 19 Oct 2006, Chris U wrote:


Date: Thu, 19 Oct 2006 16:50:00 -1000
From: Chris U <chris.uyehara@gmail.com>
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault

Hi Snort Users,

I'm in need of some help... I am using FreeBSD 5.5 [Generic Kernel]. I
installed Snort via ports. When I run snort with the following command
line: "snort -i sis0 -v -c snort.conf -l ./logs" Snort trys to
startup... what really happens... snort begins to consume RAM, once
RAM has been fully consumed it consumes SWAP. Once SWAP is full, Snort
will die and pfault - or so says top. I have included a snippet of
output from top and snort. A nicely printed version is available at
http://tinyurl.com/yxdekg

Any help would be greatly appreciated!

Mahalo,
Chris

~~~~~~~~~~~~~ BEGIN top snippet ~~~~~~~~~~~~~
 PID USERNAME PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 471 root     124    0   194M   193M RUN      0:38 93.03% 80.47% snort
 440 root      96    0  2260K  1092K RUN      0:06  1.76%  1.76% top
~~~~~~~~~~~~~ END top snippet ~~~~~~~~~~~~~

~~~~~~~~~~~~~ BEGIN snort snippet ~~~~~~~~~~~~~
[root@kalua /usr/local/etc/snort]# snort -i sis0 -v -c snort.conf -l ./logs
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
-------------------------------------------------
Keyword     |       Preprocessor @
-------------------------------------------------
rpc_decode   :       0x808ee34
bo           :       0x808e190
telnet_decode:       0x809bbc8
stream4      :       0x8090820
stream4_reassemble:       0x8091e2c
stream4_external:       0x80918ec
frag2        :       0x80a8134
arpspoof     :       0x808d798
arpspoof_detect_host:       0x808d8c0
http_inspect :       0x80a1b70
http_inspect_server:       0x80a1b70
PerfMonitor  :       0x809c250
flow         :       0x80a4e84
flow-portscan:       0x80b27fc
sfportscan   :       0x80a7370
frag3_global :       0x80aa608
frag3_engine :       0x80aa714
-------------------------------------------------

-------------------------------------------------
Keyword     |      Plugin Registered @
-------------------------------------------------
content      :      0x8080ae0
content-list :      0x8080a18
offset       :      0x8080c30
depth        :      0x8080d7c
nocase       :      0x8080edc
rawbytes     :      0x8080fd0
regex        :      0x80812c4
uricontent   :      0x8080b88
distance     :      0x8081024
within       :      0x8081174
replace      :      0x807f160
flags        :      0x8085544
itype        :      0x807d340
icode        :      0x807c928
ttl          :      0x8086154
id           :      0x807e140
ack          :      0x8085370
seq          :      0x8085c8c
dsize        :      0x807c2d0
ipopts       :      0x807eb50
rpc          :      0x80844a8
icmp_id      :      0x807ce10
icmp_seq     :      0x807d0a8
session      :      0x8084bdc
tos          :      0x807e878
fragbits     :      0x807d824
fragoffset   :      0x807ddd8
window       :      0x8085e3c
ip_proto     :      0x807e380
sameip       :      0x807e6fc
flow         :      0x8086704
byte_test    :      0x8086f24
byte_jump    :      0x8087964
isdataat     :      0x8088ec4
pcre         :      0x8088390
flowbits     :      0x80898d0
asn1         :      0x808a604
react        :      0x8082b20
resp         :      0x8083a60
ftpbounce    :      0x808acb0
urilen       :      0x808b1c8
-------------------------------------------------

-------------------------------------------------
Keyword     |          Output @
-------------------------------------------------
alert_syslog :       0x807449c
log_tcpdump  :       0x8079254
database     :       0x807647c
alert_fast   :       0x80738c0
alert_full   :       0x8073f30
alert_unixsock:       0x8074f5c
alert_CSV    :       0x807546c
log_null     :       0x8079184
log_unified  :       0x807af98
alert_unified:       0x807acec
unified      :       0x8079974
log_ascii    :       0x807b83c
-------------------------------------------------

Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
  
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
  .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 7 chars, value = ./rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
   Max frags: 65536
   Fragment memory cap: 4194304 bytes
Frag3 engine config:
   Target-based policy: FIRST
   Fragment timeout: 60 seconds
   Fragment min_ttl:   1
   Fragment ttl_limit: 5
   Fragment Problems: 1
   Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
   Stateful inspection: ACTIVE
   Session statistics: INACTIVE
   Session timeout: 30 seconds
   Session memory cap: 8388608 bytes
   Session count max: 8192 sessions
   Session cleanup count: 5
   State alerts: INACTIVE
   Evasion alerts: INACTIVE
   Scan alerts: INACTIVE
   Log Flushed Streams: INACTIVE
   MinTTL: 1
   TTL Limit: 5
   Async Link: 0
   State Protection: 0
   Self preservation threshold: 50
   Self preservation period: 90
   Suspend threshold: 200
   Suspend period: 30
   Enforce TCP State: INACTIVE
   Midstream Drop Alerts: INACTIVE
   Server Data Inspection Limit: -1
WARNING snort.conf(408) => flush_behavior set in config file, using
old static flushpoints (0)
Stream4_reassemble config:
   Server reassembly: INACTIVE
   Client reassembly: ACTIVE
   Reassembler alerts: ACTIVE
   Zero out flushed packets: INACTIVE
   Flush stream on alert: INACTIVE
   flush_data_diff_size: 500
   Reassembler Packet Preferance : Favor Old
   Packet Sequence Overlap Limit: -1
   Flush behavior: Small (<255 bytes)
   Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 
3306
   Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445
513 1433 1521 3306
HttpInspect Config:
   GLOBAL CONFIG
     Max Pipeline Requests:    0
     Inspection Type:          STATELESS
     Detect Proxy Usage:       NO
     IIS Unicode Map Filename: ./unicode.map
     IIS Unicode Map Codepage: 1252
   DEFAULT SERVER CONFIG:
     Ports: 80 8080 8180
     Flow Depth: 300
     Max Chunk Length: 500000
     Inspect Pipeline Requests: YES
     URI Discovery Strict Mode: NO
     Allow Proxy Usage: NO
     Disable Alerting: NO
     Oversize Dir Length: 500
     Only inspect URI: NO
     Ascii: YES alert: NO
     Double Decoding: YES alert: YES
     %U Encoding: YES alert: YES
     Bare Byte: YES alert: YES
     Base36: OFF
     UTF 8: OFF
     IIS Unicode: YES alert: YES
     Multiple Slash: YES alert: NO
     IIS Backslash: YES alert: NO
     Directory Traversal: YES alert: NO
     Web Root Traversal: YES alert: YES
     Apache WhiteSpace: YES alert: NO
     IIS Delimiter: YES alert: NO
     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
     Non-RFC Compliant Characters: NONE
     Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
   Ports to decode RPC on: 111 32771
   alert_fragments: INACTIVE
   alert_large_fragments: ACTIVE
   alert_incomplete: ACTIVE
   alert_multiple_requests: ACTIVE
Portscan Detection Config:
   Detect Protocols:  TCP UDP ICMP IP
   Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
   Sensitivity Level: Low
   Memcap (in bytes): 10000000
   Number of Nodes:   36900

5462 Snort rules read...
5462 Option Chains linked into 210 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
seconds=60
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
seconds=10
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=4984       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5
seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = ./logs
Loading dynamic engine
/usr/local/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort/dynamicpreprocessor/...
 Loading dynamic preprocessor library
/usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
 Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort/dynamicpreprocessor/
FTPTelnet Config:
   GLOBAL CONFIG
     Inspection Type: stateful
     Check for Encrypted Traffic: YES alert: YES
     Continue to check encrypted data: NO
   TELNET CONFIG:
     Ports: 23
     Are You There Threshold: 200
     Normalize: YES
   FTP CONFIG:
     FTP Server: default
       Ports: 21
       Check for Telnet Cmds: YES alert: YES
       Identify open data channels: YES
     FTP Client: default
       Check for Bounce Attacks: YES alert: YES
       Check for Telnet Cmds: YES alert: YES
       Max Response Length: 256
SMTP Config:
     Ports: 25
     Inspection Type:            STATEFUL
     Normalize Spaces:           YES
     Ignore Data:                NO
     Ignore TLS Data:            NO
     Ignore Alerts:              NO
     Max Command Length:         0
     Max Header Line Length:     0
     Max Response Line Length:   0
     X-Link2State Alert:         YES
     Drop on X-Link2State Alert: NO
DNS config:
   DNS Client rdata txt Overflow Alert: ACTIVE
   Obsolete DNS RR Types Alert: INACTIVE
   Experimental DNS RR Types Alert: INACTIVE
   Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set
but not ever checked.

Initializing Network Interface sis0
Var 'sis0_ADDRESS' defined, value len = 25 chars, value =
10.100.10.0/255.255.255.0
Decoding Ethernet on interface sis0
Killed
[root@kalua /usr/local/etc/snort]#
~~~~~~~~~~~~~ END snort snippet ~~~~~~~~~~~~~

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job 
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Snort 2.6.0.2 (Build 85) - pfault, Chris U
Next by Date:  Re: [Snort-users] spp_portscan, Justin Heath
Previous by Thread:  [Snort-users] Snort 2.6.0.2 (Build 85) - pfault, Chris U
Next by Thread:  Re: [Snort-users] Snort 2.6.0.2 (Build 85) - pfault, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]