[Snort-users] Snort getting overloaded by http traffic:

Jason Haar Jason.Haar at ...294...
Tue Jun 25 18:56:01 EDT 2002

On Tue, Jun 25, 2002 at 01:35:10PM -0400, McCammon, Keith wrote:
> The amount of traffic that Snort is able to inspect has less to do with
> Snort and almost everything to do with the underlying operating system, IP
> stack, and (most importantly) available resources.  If the operating system
> is short of resources (specifically RAM), then packets are going to be
> dropped by the kernel due to lack of buffer space and general congestion.
> As such, they will never be presented to Snort for inspection.

[mutter, mutter Microsoft - how about some word wrapping!!!]

Anyway, this comment about RAM - is that actually true? I mean, there's a
few areas where snort needs to swallow *some* RAM - to track state, etc -
but other than that it's not a big requirement....

The reason I ask is that I'm running snort under daemontools as a supervised
script, and one thing I've done is to tell it it can't grow above 20M as
that indicates a memory leak. So far snort appears to hang around 10M - so I
feel happy with that.

Does snort ever need to grow to > 20Meg???


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list