[Snort-devel] Potential memory leak/settings for memory conservation in 2.9.2.3/2.9.3_rc1?

Jesse Bowling jessebowling at ...2499...
Tue Jul 3 17:55:42 EDT 2012


Hello,

While running snort 2.9.2.3 on modest hardware with PF_RING I've found that
after 1 - 3 hours the snort processes have used enough memory to cause
swapping, which in turn leads to iowait, which leads to additional system
time, which ends in a death spiral with snort and PF_RING dropping and
failing to analyze almost all traffic on a link averaging 200-400 MB/s of
traffic. This appears to also be the case with 2.9.3_rc1.

Some particulars are included below, but before the wall of text I wanted
to ask:

Is there a known memory leak in these version?

Are there snort.conf options I can/should tweak to limit the amount of
memory that snort uses on this limited resource machine?

What tools or techniques can I use to help profile the performance issue
and isolate it's source? I'm fairly certain the issue lies within snort,
but I'd like to have something more definitive than top/vmstat/sar output.

How can I download previous versions of snort? I've built this monitoring
stack before and did not observe issues of this nature then; I'd like to
fall back to an older version and confirm that it functions properly.

Thanks in advance,

Jesse

Tech details:

Linux sensor-test 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012
x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.3 (Santiago)

PF_RING Version     : 5.2.1 ($Revision: 5041$)
Ring slots          : 8192
Slot version        : 13
Capture TX          : No [RX only]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : No (mode 2)
Total rings         : 2
Total plugins       : 0

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3_rc GRE (Build 35)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 GRE (Build 205)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

$ ./configure --with-libpcap-includes=/usr/
local/include --with-libpcap-libraries=/usr/local/lib
--with-dnet-includes=/usr/local/include
--with-dnet-libraries=/usr/local/lib --disable-ipv6
--disable-active-response --disable-react

DAQ:
It was created by daq configure 0.6.2, which was
generated by GNU Autoconf 2.67.  Invocation command line was

  $ ./configure --with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120703/887eab2f/attachment.html>


More information about the Snort-devel mailing list