[Snort-users] Question About the Current CVS version of snort

Christopher Cramer cec at ...68...
Sun Nov 5 14:01:05 EST 2000

In theory, it should use ~128 kB per monitored connection.  What
connections are currently being monitored is a function of the timeout
(specified in the preprocessor statement in the config file), what ports
are being monitored, how many hosts the monitor can see and how many new
connections are created/destroyed within the timeout.

Around here, it usually levels off around 30 MB or so, but I should
probably run this on our production snort box again to verify that (this
has mainly been a time thing and not a lack of confidence thing :-)
I did recently add some hashing to TCP reassembly code, I supose that
could have screwed up the correct releasing of memory.

One feature that I need to add is the ability specify which servers to
monitor so that you don't end up monitoring your client's connections to
external servers.  

Sorry I can't be of more help right now, but since you have brought it up,
I will go back and reverify the lack of memory leaks.


On Sun, 5 Nov 2000, Len Burns wrote:

> On Sun, 5 Nov 2000, Christopher Cramer wrote:
> > 
> > Are you using the TCP reassembly plugin?  I have confirmed that it (most
> > likely) does not have a memory leak, but it does consume large amounts of
> > memory depending on the number of machines/ports being reassembled.
> > 
> > For me, it usually levels off at some point.
> Yes, I have been using that.  About how long does it take to level
> off, and around how much memory use?  So far it has not exceedd the
> capacity of its hosts, but concerned me because it continued to
> increase.  Thanks.  
> -Len

More information about the Snort-users mailing list