[Snort-devel] Potential memory leak/settings for memory conservation in 2.9.2.3/2.9.3_rc1?

Russ Combs rcombs at ...402...
Thu Jul 5 14:43:23 EDT 2012


Jesse, thanks for following up.  Can you send borked settings so we can try
to prevent such outcomes?

Russ

On Thu, Jul 5, 2012 at 1:28 PM, Jesse Bowling <jessebowling at ...2499...>wrote:

> Hello everyone,
>
> Not sure if this list is active, but wanted to note that the issue I
> mentioned earlier went away after I tweaked the stream5 settings for the
> snort instances. I had removed some lines from the stream5 processing
> configuration in an attempt to not track UDP; instead I caused UDP
> 'sessions' to be track without limit.
>
> Needless to say, this caused some performance issues. :)
>
> Sorry for the false alarm,
>
> Jesse
>
>
> On Tue, Jul 3, 2012 at 5:55 PM, Jesse Bowling <jessebowling at ...2499...>wrote:
>
>> Hello,
>>
>> While running snort 2.9.2.3 on modest hardware with PF_RING I've found
>> that after 1 - 3 hours the snort processes have used enough memory to cause
>> swapping, which in turn leads to iowait, which leads to additional system
>> time, which ends in a death spiral with snort and PF_RING dropping and
>> failing to analyze almost all traffic on a link averaging 200-400 MB/s of
>> traffic. This appears to also be the case with 2.9.3_rc1.
>>
>> Some particulars are included below, but before the wall of text I wanted
>> to ask:
>>
>> Is there a known memory leak in these version?
>>
>> Are there snort.conf options I can/should tweak to limit the amount of
>> memory that snort uses on this limited resource machine?
>>
>> What tools or techniques can I use to help profile the performance issue
>> and isolate it's source? I'm fairly certain the issue lies within snort,
>> but I'd like to have something more definitive than top/vmstat/sar output.
>>
>> How can I download previous versions of snort? I've built this monitoring
>> stack before and did not observe issues of this nature then; I'd like to
>> fall back to an older version and confirm that it functions properly.
>>
>> Thanks in advance,
>>
>> Jesse
>>
>> Tech details:
>>
>> Linux sensor-test 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT
>> 2012 x86_64 x86_64 x86_64 GNU/Linux
>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>>
>> PF_RING Version     : 5.2.1 ($Revision: 5041$)
>> Ring slots          : 8192
>> Slot version        : 13
>> Capture TX          : No [RX only]
>> IP Defragment       : No
>> Socket Mode         : Standard
>> Transparent mode    : No (mode 2)
>> Total rings         : 2
>> Total plugins       : 0
>>
>> # snort --version
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.3_rc GRE (Build 35)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.1.1
>>            Using PCRE version: 7.8 2008-09-05
>>            Using ZLIB version: 1.2.3
>>
>> # snort --version
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.2.3 GRE (Build 205)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>            Using libpcap version 1.1.1
>>            Using PCRE version: 7.8 2008-09-05
>>            Using ZLIB version: 1.2.3
>>
>> $ ./configure --with-libpcap-includes=/usr/
>> local/include --with-libpcap-libraries=/usr/local/lib
>> --with-dnet-includes=/usr/local/include
>> --with-dnet-libraries=/usr/local/lib --disable-ipv6
>> --disable-active-response --disable-react
>>
>> DAQ:
>> It was created by daq configure 0.6.2, which was
>> generated by GNU Autoconf 2.67.  Invocation command line was
>>
>>   $ ./configure --with-libpcap-includes=/usr/local/include
>> --with-libpcap-libraries=/usr/local/lib
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120705/4cce677b/attachment.html>


More information about the Snort-devel mailing list