[Snort-users] Memory leak in snort?

Paul Schmehl pauls at ...6838...
Tue Jun 6 16:19:35 EDT 2006

We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and 
we're having a problem  that appears to be caused by snort.  As time 
passes, more and more of the swap space is used until swap is completely 
exhausted.  This machine has 2GB of real memory and 6GB of swap space, 
yet swap is being steadily exhausted.

If we stop snort, the swap space usage drops to almost nil.  After we 
start snort again, swap usage steadily climbs until it's exhausted again.

The odd thing is, we're running two instances of snort on this box.  One 
using the "standard" set of rules tweaked for our network, and a second 
with a handful of custom rules that we use for looking at internal 
stuff.  The other process doesn't eat up memory at all.

I've never seen this problem with snort before.  Does snort have a 
problem with a dual CPU architecture or threading?

System info:

uname -a
FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu 
Mar 30 19:25:18 CST 2006 
root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL  amd64

from dmesg:
CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
   Origin = "AuthenticAMD"  Id = 0xf5a  Stepping = 10
   AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
real memory  = 2146893824 (2047 MB)
avail memory = 2065797120 (1970 MB)
ACPI APIC Table: <PTLTD          APIC  >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
  cpu0 (BSP): APIC ID:  0
  cpu1 (AP): APIC ID:  1

  snort -V

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.4.4 (Build 28) FreeBSD
    ''''    By Martin Roesch & The Snort Team: 
            (C) Copyright 1998-2005 Sourcefire Inc., et al.

grep output /usr/local/etc/snort/snort.conf | grep -v "#"
output log_unified: filename snort.log, limit 128

If it matters, the sniffing interface is a Broadcomm Gig nic.
ifconfig bge0
         [I've removed the bits that reveal the MAC address]
         media: Ethernet autoselect (1000baseTX <full-duplex>)
         status: active

top -o size shows snort as the number one process (in terms of memory 
use), and it keeps growing until swap is completely exhausted.

Is there a way to limit the amount of swap space snort will use?  Is 
this a bug in the program?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060606/5533128e/attachment.bin>

More information about the Snort-users mailing list