Menu
▾
▴
Re: [Snort-inline-users] Reject rule problem
|
From: Dave R. <dav...@gm...> - 2008-07-17 17:38:06
|
vishal_nitr wrote: > Hi All, > whenever I use a "reject" rule I am getting an error "packet recv contents failure: No buffer space available". and snort-inline is hanging with this message and also there are lot of logs dumped in my log directory . > To overcome this problem somewhere in "Inliniac.com" I saw a post that we should change default buffer size to 8388608 and tcp buffer size to 1048576 4194304 16777216. I tried by changing to these values but it's not working. > When I debugged this problem I narrowed down to a function > HandlePacket() which is causing some loop inside and leading for lot of > logs and hanging the snort. > Is there any solution to this ? > I am using snort_inline-2.6.1.5 with NFQUEUE. Try cat /proc/net/netlink and see where the memory is piling up. Logs? Which logs? How are you logging? You may have other problems, such as insufficient processor, rules that are taking too long, etc. You might want to set the mem sizes up: /sbin/sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' /sbin/sysctl -w net.ipv4.tcp_wmem='8388608 8388608 8388608' /sbin/sysctl -w net.ipv4.tcp_rmem='8388608 8388608 8388608' /sbin/sysctl -w net.core.rmem_default=8388608 /sbin/sysctl -w net.core.wmem_default=8388608 /sbin/sysctl -w net.core.rmem_max=33554432 /sbin/sysctl -w net.core.wmem_max=16777216 Dave -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
