-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recall memory problems with snort in earlier (not sure which) version of the honeywall but none in 1.2 (with stock configuration). IF a version went out with memory problems as you describe it would have been around the 1.1 time frame. Let's get back to fundamentals:
Please: 'cat /etc/ROO_BASE_VERSION' and post your results. Have you made any config changes with respect to snort/snort_inline? - - conf file changes - - rule changes Anything else changed? I had a stock roo-1.2 up on my laptop for 4 days under VMWare with 2 other VMs running and had no problems (related to memory). I was testing a set of custom snort rules, however, on another system that brought a roo-1.2 to it's knees due to memory exhaustion within 1 minute of a restart. Is anyone else seeing this on standalone snort 2.6.1 systems (Or has everyone gone to 2.8 already?) Earl On Sun, 21 Oct 2007 23:47:14 -0400 Parvinder Bhasin <[EMAIL PROTECTED]> wrote: >Forgot to mention, memory is good at around 230mb without snort >and >snort_inline. > >-Parvinder Bhasin > > >Parvinder Bhasin wrote: >> Rob, >> >> I tried to do what you suggested and I got : >> >> FATAL ERROR: Please activate stream4 before trying to activate >> stream4_reassemble. >> >> so when I tried to disable (comment) the stream4_reassemble , I >got: >> >> FATAL ERROR: SMTP_ParseArgs(): Streaming & reassembly must be >enabled. >> >> -Parvinder Bhasin >> >> Rob McMillen wrote: >>> Parvinder, >>> For kicks, can you go into the snort configuration file >>> (/etc/snort/snort.conf) and comment out the like for the >stream4 >>> preprocessor? >>> >>> change: >>> preprocessor stream4: disable_evasion_alerts >>> to: >>> #preprocessor stream4: disable_evasion_alerts >>> >>> Just to see if your memory usage changes. It would really be a >big help. >>> >>> Same for the snort_inline configuration >>> (/etc/snort_inline/snort_inline.conf). On my honeywall, these >are the >>> two processes that hog the memory. >>> >>> And of course, restart them after changing the configuration >file :) >>> >>> /etc/init.d/hflow-snort restart >>> /etc/init.d/hflow-snort_inline restart >>> >>> Rob >>> >>>> On 10/20/07, Parvinder Bhasin <[EMAIL PROTECTED]> >wrote: >>>>> Hi Rob, >>>>> >>>>> I setup another HW with roo 1.2, which is pentium 4 3.2gh >with >>>>> 2Gigs of >>>>> RAM and I think the problem really is with memory leak. So >after >>>>> deploying this honeywall I was looking at top and watching >the memory >>>>> usage climb up within 15 mins. So within 15 mins all of my >2gig memory >>>>> was used up and system started writing to swap. At this >point walleye >>>>> wasn't reporting anything and moreover, I couldn't even run >tcpdump. >>>>> Tcpdump would run and miss packets like anything. Hope this >helps in >>>>> troubleshooting this. Right now I haven't spent any time >>>>> troubleshooting what program is causing memory leak but my >hunch is >>>>> snort. >>>>> >>>>> Hope this info helps. >>>>> >>>>> -Parvinder Bhasin >>> _______________________________________________ >>> Honeywall mailing list >>> [email protected] >>> https://public.honeynet.org/mailman/listinfo/honeywall >>> >> >> > >_______________________________________________ >Honeywall mailing list >[email protected] >https://public.honeynet.org/mailman/listinfo/honeywall -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wkYEARECAAYFAkcbghkACgkQk7+e+4lPSm22GgCfY2OWAAdvBO+ksIWHvQtLyU2yUjsA oLiz12kUT5P2xfAy+uHjycHROSh1 =+LIa -----END PGP SIGNATURE----- _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
