[Snort-devel] snort 2.0 memory usage

Erek Adams erek at ...835...
Wed Apr 23 09:07:52 EDT 2003


On Tue, 22 Apr 2003 Al.Heisner at ...1952... wrote:

> System Architecture:		x86
> Operating System and version:	RedHat 7.3, Linux kernel 2.4.18
> Version of Snort:			1.9.0 vs. 2.0.0
>
> What preprocessors loaded:
> preprocessor frag2
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble: both, ports all
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slash full_whitespace
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor conversation: allowed_ip_protocols all, timeout 60,
> max_conversations 300

[...snip...]

<obiwan voice>
There is no problem.  All is normal.  This is not the bug you are looking
for.  Move along.
</obiwan voice>

Seriously--Mem usage went up in 2.0 by a huge amount.  If you use
Conversation and/or portscan2 you're going to gobble quite a bit.  You can
use the config:  lowmem option to drop the usage some.  The biggest thing
that's eating memory is the new way of organizing rules.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-devel mailing list