[Snort-users] Snort slurps memory

Matt Kettler mkettler at ...4108...
Fri Jan 31 10:52:02 EST 2003


I think a large part of this is portscan2 and conversation preprocessors.

Using the exact same configuration, merely commenting out the conversation 
and portscan2 preprocessors ps aux shows:

With conversation and portscan2

USER       PID %CPU %MEM   VSZ   RSS TT   STAT STARTED
xxxx    xxx69  0.0 44.7 54656 29076 ??  Ss     1:30AM

Without conversation and portscan2:

USER       PID %CPU %MEM   VSZ   RSS TT   STAT STARTED
xxxx    xxx85  0.1 15.8 10620 10264 ??  Ss     1:57PM

So the total VSZ for snort changes by about 44megs when portscan2 and 
conversation are enabled. That's big.

At 02:36 PM 1/31/2003 +0100, Maarten de Vries wrote:
>Hi,
>
>If this has been discussed before I apologize, but I haven't found an answer
>in the archives so far.
>Ever since we upgraded to 1.9.0, the amount of memory Snort uses has
>increased dramatically. The total size of the process was never more than
>about 8Mb, however, Snort now seems to occupy around 50Mb.
>Can anyone tell me why the process has grown so incredibly large?
>
>The OS involved is FreeBSD 4.7-STABLE on Intels with 512Mb of memory. Snort
>is restarted daily.
>
>Thanks in advance,
>--
>Maarten
>http://unsavouy.net
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list