[Snort-devel] SNORT has memory leak on Linux Red hat 9

Kumar, Manoj kumarm at ...2330...
Thu Feb 26 08:09:30 EST 2004


Hi,
I am not using any configuration. I am just using simple snort command as :

snort -A none -P 128 -l /home/log -L Capture.log -i eth1 'ether[2]=0x03' -b -D

and killing it after every 5 minutes.

Please let me know what do you think why SNORT is eating up the memory?
Thanks
Mnoj

-----Original Message-----
From: rmkml [mailto:rmkml at ...1042...]
Sent: Thursday, February 26, 2004 1:59 AM
To: Kumar, Manoj
Subject: RE: [Snort-devel] SNORT has memory leak on Linux Red hat 9


Hi Kumar,
possible disable processor on your snort config ?
disable processor, restart snort, look memory .....
Regards


On Wed, 25 Feb 2004, Kumar, Manoj wrote:

> Date: Wed, 25 Feb 2004 18:09:03 -0500
> From: "Kumar, Manoj" <kumarm at ...2330...>
> To: Ian Macdonald <ism at ...2371...>
> Cc: Jeremy Hewlett <jh at ...402...>, snort-users at lists.sourceforge.net,
>      snort-devel at lists.sourceforge.net, snort-announce at ...2402...net
> Subject: RE: [Snort-devel] SNORT has memory leak on Linux Red hat 9
>
> Ian,
> Thanks for your reply
> Yes,exactly this is what very odd is that even I kill the SNORT process,memory are not getting released. This is really strange. But,this is what exactly happening.
> I have 4 GB of physical memory. I stopped all the process and waited for 3-4 hours.It remains at 345MB. As soon as I start the snort process,it starts climbing and other thing is that it climbes very fast. Within 2-3 hours, it eats up 95% of the memory. It goes upto 3.5 GB. When I kill it,I thought it will release the memory,but it's not.
>
> Again,this is happening on Red hat 9 and also on application service 2.4.9 Linux.
>
> Manoj
>
> -----Original Message-----
> From: Ian Macdonald [mailto:ism at ...2371...]
> Sent: Wednesday, February 25, 2004 6:06 PM
> To: Kumar, Manoj
> Cc: Jeremy Hewlett; snort-users at lists.sourceforge.net;
> snort-devel at lists.sourceforge.net; snort-announce at lists.sourceforge.net
> Subject: Re: [Snort-devel] SNORT has memory leak on Linux Red hat 9
>
>
> The first thing that seems odd is that the memory doesn't free up after
> killing the process. Normally all memory would be released on application
> termination. When you say memory doesn't free what item are you looking
> at?
> One thing you might want to do is try killing other applications to see if
> they are the ones that are stealing the memory. You may even want to
> remove the loaded modules one by one incase the memory leak is in the
> network driver module.
> The only other thing of the top of my head is that machine is swapping so
> much that it takes time for the OS to swap out the memory from disk to
> allow it to be released?
> Have you tried it on a different OS or Kernel?
>
> > Hello everybody,
> > I am running SNORT ver 2.1.0 to capture data from my giga bit network on
> > RedHat Linux 9 where SNORT is capturing 100MB of data per minute (Lots of
> > data). Problem is that memory usage keeps going as long as SNORT is
> > running.
> > WORST thing is that even if you kill the SNORT process, it doesn't release
> > the memory. Memory usage remains as it is.
> > Would you guys please help me out? Why SNORT is behaving like this and
> > anybody has noticed this problem?
> >
> > Thanks
> > Manoj
> >
> >
> > -----Original Message-----
> > From: Jeremy Hewlett [ mailto:jh at ...402...]
> > Sent: Wednesday, February 25, 2004 4:41 PM
> > To: snort-users at lists.sourceforge.net
> > Cc: snort-devel at lists.sourceforge.net;
> > snort-announce at lists.sourceforge.net
> > Subject: [Snort-devel] Snort 2.1.1 final is available!
> >
> >
> > Greetings!
> >
> > Snort 2.1.1 is now available - Thanks everyone who installed RC1 and
> > tried it out! The differences between RC1 and final are minor, and
> > include:
> >
> > * Documentation updates and fixes by JP Vossen, Felipe Franciosi, and
> >   Drew Smith
> > * Compiles on Tru64 now - thanks Hari Gopal and Darryl Cook.
> > * libintsnort.a is no longer included in compile routine (this is the
> >   Solaris "ar" problem some people have had)
> > * Snort templates have been updated
> > * Fixed issue with CSV not displaying its output correctly - thanks
> >   Bill Guyton and Alan Milligan for your fixes.
> > * Fixed Flow-Portscan alert-mode bug where only one alert would get
> >   generated.  Thanks Kevin Amorin for pointing out the problem and
> >   testing the fix.
> > * Minor Makefile fix for "unexpected end of line" at the verstuff.pl
> >   line when not using GNU "make" on Solaris - Thanks for the report,
> >   Chad Kreimendahl.
> > * Removed escaping of '%' and '_' characters in MySQL (thanks
> >   Kristofer Karas).
> >
> > For further info on changes, please review the ChangeLog and
> > RELEASE.NOTES, which can be found in the parent directory of the snort
> > source.
> >
> > Happy Snorting,
> > The Snort Team
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> > Build and deploy apps & Web services for Linux with
> > a free DVD software kit from IBM. Click Now!
> > http://ads.osdn.com/?ad_id=1356
> > <ht




More information about the Snort-devel mailing list