[Snort-devel] Potential memory leak/settings for memory conservation in 2.9.2.3/2.9.3_rc1?

Jesse Bowling jessebowling at ...2499...
Thu Jul 5 13:28:07 EDT 2012


Hello everyone,

Not sure if this list is active, but wanted to note that the issue I
mentioned earlier went away after I tweaked the stream5 settings for the
snort instances. I had removed some lines from the stream5 processing
configuration in an attempt to not track UDP; instead I caused UDP
'sessions' to be track without limit.

Needless to say, this caused some performance issues. :)

Sorry for the false alarm,

Jesse

On Tue, Jul 3, 2012 at 5:55 PM, Jesse Bowling <jessebowling at ...2499...>wrote:

> Hello,
>
> While running snort 2.9.2.3 on modest hardware with PF_RING I've found
> that after 1 - 3 hours the snort processes have used enough memory to cause
> swapping, which in turn leads to iowait, which leads to additional system
> time, which ends in a death spiral with snort and PF_RING dropping and
> failing to analyze almost all traffic on a link averaging 200-400 MB/s of
> traffic. This appears to also be the case with 2.9.3_rc1.
>
> Some particulars are included below, but before the wall of text I wanted
> to ask:
>
> Is there a known memory leak in these version?
>
> Are there snort.conf options I can/should tweak to limit the amount of
> memory that snort uses on this limited resource machine?
>
> What tools or techniques can I use to help profile the performance issue
> and isolate it's source? I'm fairly certain the issue lies within snort,
> but I'd like to have something more definitive than top/vmstat/sar output.
>
> How can I download previous versions of snort? I've built this monitoring
> stack before and did not observe issues of this nature then; I'd like to
> fall back to an older version and confirm that it functions properly.
>
> Thanks in advance,
>
> Jesse
>
> Tech details:
>
> Linux sensor-test 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT
> 2012 x86_64 x86_64 x86_64 GNU/Linux
> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>
> PF_RING Version     : 5.2.1 ($Revision: 5041$)
> Ring slots          : 8192
> Slot version        : 13
> Capture TX          : No [RX only]
> IP Defragment       : No
> Socket Mode         : Standard
> Transparent mode    : No (mode 2)
> Total rings         : 2
> Total plugins       : 0
>
> # snort --version
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.3_rc GRE (Build 35)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> # snort --version
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.2.3 GRE (Build 205)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> $ ./configure --with-libpcap-includes=/usr/
> local/include --with-libpcap-libraries=/usr/local/lib
> --with-dnet-includes=/usr/local/include
> --with-dnet-libraries=/usr/local/lib --disable-ipv6
> --disable-active-response --disable-react
>
> DAQ:
> It was created by daq configure 0.6.2, which was
> generated by GNU Autoconf 2.67.  Invocation command line was
>
>   $ ./configure --with-libpcap-includes=/usr/local/include
> --with-libpcap-libraries=/usr/local/lib
>
>
> --
> Jesse Bowling
>
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120705/9c187010/attachment.html>


More information about the Snort-devel mailing list