Earl,
Its roo 1.2 hw-1. Its stock version. I did a brand new install on the
honeywall. No updates to snort rules etc or any updates. Within half an
hour memory had jumped from 400mb to around 900mb. Traffic is at
minimum almost nothing actually.
-Parvinder Bhasin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I recall memory problems with snort in earlier (not sure which)
version of the honeywall but none in 1.2 (with stock
configuration). IF a version went out with memory problems as you
describe it would have been around the 1.1 time frame. Let's get
back to fundamentals:
Please:
'cat /etc/ROO_BASE_VERSION'
and post your results.
Have you made any config changes with respect to snort/snort_inline?
- - conf file changes
- - rule changes
Anything else changed?
I had a stock roo-1.2 up on my laptop for 4 days under VMWare with
2 other VMs running and had no problems (related to memory).
I was testing a set of custom snort rules, however, on another
system that brought a roo-1.2 to it's knees due to memory
exhaustion within 1 minute of a restart.
Is anyone else seeing this on standalone snort 2.6.1 systems (Or
has everyone gone to 2.8 already?)
Earl
On Sun, 21 Oct 2007 23:47:14 -0400 Parvinder Bhasin
<[EMAIL PROTECTED]> wrote:
Forgot to mention, memory is good at around 230mb without snort
and
snort_inline.
-Parvinder Bhasin
Parvinder Bhasin wrote:
Rob,
I tried to do what you suggested and I got :
FATAL ERROR: Please activate stream4 before trying to activate
stream4_reassemble.
so when I tried to disable (comment) the stream4_reassemble , I
got:
FATAL ERROR: SMTP_ParseArgs(): Streaming & reassembly must be
enabled.
-Parvinder Bhasin
Rob McMillen wrote:
Parvinder,
For kicks, can you go into the snort configuration file
(/etc/snort/snort.conf) and comment out the like for the
stream4
preprocessor?
change:
preprocessor stream4: disable_evasion_alerts
to:
#preprocessor stream4: disable_evasion_alerts
Just to see if your memory usage changes. It would really be a
big help.
Same for the snort_inline configuration
(/etc/snort_inline/snort_inline.conf). On my honeywall, these
are the
two processes that hog the memory.
And of course, restart them after changing the configuration
file :)
/etc/init.d/hflow-snort restart
/etc/init.d/hflow-snort_inline restart
Rob
On 10/20/07, Parvinder Bhasin <[EMAIL PROTECTED]>
wrote:
Hi Rob,
I setup another HW with roo 1.2, which is pentium 4 3.2gh
with
2Gigs of
RAM and I think the problem really is with memory leak. So
after
deploying this honeywall I was looking at top and watching
the memory
usage climb up within 15 mins. So within 15 mins all of my
2gig memory
was used up and system started writing to swap. At this
point walleye
wasn't reporting anything and moreover, I couldn't even run
tcpdump.
Tcpdump would run and miss packets like anything. Hope this
helps in
troubleshooting this. Right now I haven't spent any time
troubleshooting what program is causing memory leak but my
hunch is
snort.
Hope this info helps.
-Parvinder Bhasin
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5
wkYEARECAAYFAkcbghkACgkQk7+e+4lPSm22GgCfY2OWAAdvBO+ksIWHvQtLyU2yUjsA
oLiz12kUT5P2xfAy+uHjycHROSh1
=+LIa
-----END PGP SIGNATURE-----
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
