[Snort-devel] snort 2.0 memory usage

Erek Adams erek at ...835...
Wed Apr 23 09:07:52 EDT 2003

On Tue, 22 Apr 2003 Al.Heisner at ...1952... wrote:

> System Architecture:		x86
> Operating System and version:	RedHat 7.3, Linux kernel 2.4.18
> Version of Snort:			1.9.0 vs. 2.0.0
> What preprocessors loaded:
> preprocessor frag2
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble: both, ports all
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slash full_whitespace
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor conversation: allowed_ip_protocols all, timeout 60,
> max_conversations 300


<obiwan voice>
There is no problem.  All is normal.  This is not the bug you are looking
for.  Move along.
</obiwan voice>

Seriously--Mem usage went up in 2.0 by a huge amount.  If you use
Conversation and/or portscan2 you're going to gobble quite a bit.  You can
use the config:  lowmem option to drop the usage some.  The biggest thing
that's eating memory is the new way of organizing rules.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-devel mailing list