Rob,
I tried to do what you suggested and I got :
FATAL ERROR: Please activate stream4 before trying to activate
stream4_reassemble.
so when I tried to disable (comment) the stream4_reassemble , I got:
FATAL ERROR: SMTP_ParseArgs(): Streaming & reassembly must be enabled.
-Parvinder Bhasin
Rob McMillen wrote:
Parvinder,
For kicks, can you go into the snort configuration file
(/etc/snort/snort.conf) and comment out the like for the stream4
preprocessor?
change:
preprocessor stream4: disable_evasion_alerts
to:
#preprocessor stream4: disable_evasion_alerts
Just to see if your memory usage changes. It would really be a big help.
Same for the snort_inline configuration
(/etc/snort_inline/snort_inline.conf). On my honeywall, these are the
two processes that hog the memory.
And of course, restart them after changing the configuration file :)
/etc/init.d/hflow-snort restart
/etc/init.d/hflow-snort_inline restart
Rob
On 10/20/07, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
Hi Rob,
I setup another HW with roo 1.2, which is pentium 4 3.2gh with 2Gigs of
RAM and I think the problem really is with memory leak. So after
deploying this honeywall I was looking at top and watching the memory
usage climb up within 15 mins. So within 15 mins all of my 2gig memory
was used up and system started writing to swap. At this point walleye
wasn't reporting anything and moreover, I couldn't even run tcpdump.
Tcpdump would run and miss packets like anything. Hope this helps in
troubleshooting this. Right now I haven't spent any time
troubleshooting what program is causing memory leak but my hunch is snort.
Hope this info helps.
-Parvinder Bhasin
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
