[Snort-users] Memory leak in snort?
pauls at ...6838...
Tue Jun 6 16:19:35 EDT 2006
We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and
we're having a problem that appears to be caused by snort. As time
passes, more and more of the swap space is used until swap is completely
exhausted. This machine has 2GB of real memory and 6GB of swap space,
yet swap is being steadily exhausted.
If we stop snort, the swap space usage drops to almost nil. After we
start snort again, swap usage steadily climbs until it's exhausted again.
The odd thing is, we're running two instances of snort on this box. One
using the "standard" set of rules tweaked for our network, and a second
with a handful of custom rules that we use for looking at internal
stuff. The other process doesn't eat up memory at all.
I've never seen this problem with snort before. Does snort have a
problem with a dual CPU architecture or threading?
FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu
Mar 30 19:25:18 CST 2006
root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL amd64
CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
Origin = "AuthenticAMD" Id = 0xf5a Stepping = 10
real memory = 2146893824 (2047 MB)
avail memory = 2065797120 (1970 MB)
ACPI APIC Table: <PTLTD APIC >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
,,_ -*> Snort! <*-
o" )~ Version 2.4.4 (Build 28) FreeBSD
'''' By Martin Roesch & The Snort Team:
(C) Copyright 1998-2005 Sourcefire Inc., et al.
grep output /usr/local/etc/snort/snort.conf | grep -v "#"
output log_unified: filename snort.log, limit 128
If it matters, the sniffing interface is a Broadcomm Gig nic.
[I've removed the bits that reveal the MAC address]
media: Ethernet autoselect (1000baseTX <full-duplex>)
top -o size shows snort as the number one process (in terms of memory
use), and it keeps growing until swap is completely exhausted.
Is there a way to limit the amount of swap space snort will use? Is
this a bug in the program?
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
More information about the Snort-users