[Snort-devel] snort 2.0 memory usage

Marc Norton marc.norton at ...402...
Fri Apr 25 12:17:11 EDT 2003


The lowmem detection configuration option changes the amount and way
patterns are stored and organized. I've seen the memory decrease 50-60
Mbytes when going from the 'mwm' to the 'lowmem' search-method. If you
still have  a memory shortage when using the lowmem option, it's not the
detection engine - look elsewhere.



> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net [mailto:snort-devel-
> admin at lists.sourceforge.net] On Behalf Of Erek Adams
> Sent: Wednesday, April 23, 2003 12:00 PM
> To: Al.Heisner at ...1952...
> Cc: roesch at ...835...; snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] snort 2.0 memory usage
> 
> On Tue, 22 Apr 2003 Al.Heisner at ...1952... wrote:
> 
> > System Architecture:		x86
> > Operating System and version:	RedHat 7.3, Linux kernel 2.4.18
> > Version of Snort:			1.9.0 vs. 2.0.0
> >
> > What preprocessors loaded:
> > preprocessor frag2
> > preprocessor stream4: detect_scans, disable_evasion_alerts
> > preprocessor stream4_reassemble: both, ports all
> > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> > iis_flip_slash full_whitespace
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor telnet_decode
> > preprocessor portscan: $HOME_NET 4 3 portscan.log
> > preprocessor conversation: allowed_ip_protocols all, timeout 60,
> > max_conversations 300
> 
> [...snip...]
> 
> <obiwan voice>
> There is no problem.  All is normal.  This is not the bug you are
looking
> for.  Move along.
> </obiwan voice>
> 
> Seriously--Mem usage went up in 2.0 by a huge amount.  If you use
> Conversation and/or portscan2 you're going to gobble quite a bit.  You
can
> use the config:  lowmem option to drop the usage some.  The biggest
thing
> that's eating memory is the new way of organizing rules.
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list