Re: [Snortsnarf] SnortSnarf-080101.1 running out of memory on OpenBSD 2.9

[James Hoagland <hoagland@SiliconDefense.com>]

>Hi,
>
>I'm running snort-1.8.1-beta6 and SnortSnarf-080101.1 on an x86 machine
>with 256MB of physical memory and 195MB of swap.  Since this is machine
>is dedicated for running snort, memory usage is normally ~20MB, peaking
>at 48MB when I patched & rebuilt the OpenBSD kernel.
>
>When running SnortSnarf, after my alert file grows beyond a certain
>point (I believe 12MB), it chokes and complains of being out of memory:
>
>bigjerk$ /usr/local/bin/snortsnarf.pl -d /var/www/htdocs/snort
>/snort/alert
>Out of memory!
>Out of memory!
>Attempt to free unreferenced scalar, <ifh000> line 251880 during global
>destruction.
>
>Is this a known issue, and if so, are there any workarounds?  I'm going
>to try and apply my very limited Perl abilities and see if I can find
>anything...

SnortSnarf is really running out of memory.  It stores all alerts in 
memory while it builds up what what should go on each page.  I've 
given the implementation some thought and there is no easy way to get 
away from this fact.  This is especially an issue with large input 
files.

One point to note is that, by all reports, SnortSnarf will 
(eventually)) finish properly with even the largest input files 
provided there is enough memory.

Some work arounds:
+ add more RAM or increase your swap size
+ split your input file and run SnortSnarf separately on each piece
+ otherwise reduce your input by, e.g., eliminating snort rules that 
are producing alot of alert

Best regards,

   Jim
-- 
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland@SiliconDefense.com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|