[Snort-devel] snort 2.0 memory usage

Al.Heisner at ...1952... Al.Heisner at ...1952...
Wed Apr 23 06:37:34 EDT 2003


System Architecture:		x86
Operating System and version:	RedHat 7.3, Linux kernel 2.4.18
Version of Snort:			1.9.0 vs. 2.0.0

What preprocessors loaded:
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: both, ports all
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo 
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 300

What rules:
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
include $RULE_PATH/test.rules

What output plug-ins:		output alert_full: alert
What command line switches you were using:
/usr/sbin/snort -l /var/log/snort -d -D -i eth1 -c /etc/snort/snort.conf (or
snort.test)

Any Snort error messages: none


Problem: High memory usage from snort 2.0.0 compared to snort 1.9.0
This was running on a 200Mhz CPU with 64MB of memory.  
Memory usage seems directly related to the amount of rules configured.

snort 2.0.0 running with config /etc/snort/snort.test
>top -p `pgrep snort` -b -n 1 | tail -2
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
16707 root      15   0  8348 6520   872 S     0.0 10.5   0:01 snort

snort 2.0.0 running with config /etc/snort/snort.conf
>top -p `pgrep snort` -b -n 1 | tail -2
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
16780 root      15   0 59572  38M  2196 R     0.1 63.5   0:07 snort

snort 1.9.0 running with config /etc/snort/snort.test
>top -p `pgrep snort` -b -n 1 | tail -2
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
17213 root      15   0  3440 3440   872 S     0.0  5.5   0:00 snort

snort 1.9.0 running with config /etc/snort/snort.conf
>top -p `pgrep snort` -b -n 1 | tail -2
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
17143 root      15   0  5728 5728   872 S     0.0  9.2   0:01 snort

>diff /etc/snort/snort.test /etc/snort/snort.conf 
569,575c569,575
< #include $RULE_PATH/web-cgi.rules
< #include $RULE_PATH/web-coldfusion.rules
< #include $RULE_PATH/web-iis.rules
< #include $RULE_PATH/web-frontpage.rules
< #include $RULE_PATH/web-misc.rules
< #include $RULE_PATH/web-client.rules
< #include $RULE_PATH/web-php.rules
---
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030423/4c108594/attachment.html>


More information about the Snort-devel mailing list