[Snort-users] Memory leak in snort?
snort.user at ...11827...
Tue Jun 6 17:14:44 EDT 2006
I am guessing you must have stream4 preprocessor turned on.
If yes, that might be only possible place where memory is being eaten up.
On 6/6/06, Paul Schmehl <pauls at ...6838...> wrote:
> We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and
> we're having a problem that appears to be caused by snort. As time
> passes, more and more of the swap space is used until swap is completely
> exhausted. This machine has 2GB of real memory and 6GB of swap space,
> yet swap is being steadily exhausted.
> If we stop snort, the swap space usage drops to almost nil. After we
> start snort again, swap usage steadily climbs until it's exhausted again.
> The odd thing is, we're running two instances of snort on this box. One
> using the "standard" set of rules tweaked for our network, and a second
> with a handful of custom rules that we use for looking at internal
> stuff. The other process doesn't eat up memory at all.
> I've never seen this problem with snort before. Does snort have a
> problem with a dual CPU architecture or threading?
> System info:
> uname -a
> FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu
> Mar 30 19:25:18 CST 2006
> root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL amd64
> from dmesg:
> CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
> Origin = "AuthenticAMD" Id = 0xf5a Stepping = 10
> AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
> real memory = 2146893824 (2047 MB)
> avail memory = 2065797120 (1970 MB)
> ACPI APIC Table: <PTLTD APIC >
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> cpu0 (BSP): APIC ID: 0
> cpu1 (AP): APIC ID: 1
> snort -V
> ,,_ -*> Snort! <*-
> o" )~ Version 2.4.4 (Build 28) FreeBSD
> '''' By Martin Roesch & The Snort Team:
> (C) Copyright 1998-2005 Sourcefire Inc., et al.
> grep output /usr/local/etc/snort/snort.conf | grep -v "#"
> output log_unified: filename snort.log, limit 128
> If it matters, the sniffing interface is a Broadcomm Gig nic.
> ifconfig bge0
> flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> mtu
> [I've removed the bits that reveal the MAC address]
> media: Ethernet autoselect (1000baseTX <full-duplex>)
> status: active
> top -o size shows snort as the number one process (in terms of memory
> use), and it keeps growing until swap is completely exhausted.
> Is there a way to limit the amount of swap space snort will use? Is
> this a bug in the program?
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users