[Snort-users] Memory leak in snort?

snort user snort.user at ...11827...
Tue Jun 6 17:14:44 EDT 2006


I am guessing you must have stream4 preprocessor turned on.
If yes, that might be only possible place where memory is being eaten up.



On 6/6/06, Paul Schmehl <pauls at ...6838...> wrote:
> We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and
> we're having a problem  that appears to be caused by snort.  As time
> passes, more and more of the swap space is used until swap is completely
> exhausted.  This machine has 2GB of real memory and 6GB of swap space,
> yet swap is being steadily exhausted.
>
> If we stop snort, the swap space usage drops to almost nil.  After we
> start snort again, swap usage steadily climbs until it's exhausted again.
>
> The odd thing is, we're running two instances of snort on this box.  One
> using the "standard" set of rules tweaked for our network, and a second
> with a handful of custom rules that we use for looking at internal
> stuff.  The other process doesn't eat up memory at all.
>
> I've never seen this problem with snort before.  Does snort have a
> problem with a dual CPU architecture or threading?
>
> System info:
>
> uname -a
> FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu
> Mar 30 19:25:18 CST 2006
> root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL  amd64
>
> from dmesg:
> CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
>    Origin = "AuthenticAMD"  Id = 0xf5a  Stepping = 10
>
> Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
>    AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
> real memory  = 2146893824 (2047 MB)
> avail memory = 2065797120 (1970 MB)
> ACPI APIC Table: <PTLTD          APIC  >
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
>   cpu0 (BSP): APIC ID:  0
>   cpu1 (AP): APIC ID:  1
>
>   snort -V
>
>     ,,_     -*> Snort! <*-
>    o"  )~   Version 2.4.4 (Build 28) FreeBSD
>     ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>             (C) Copyright 1998-2005 Sourcefire Inc., et al.
>
> grep output /usr/local/etc/snort/snort.conf | grep -v "#"
> output log_unified: filename snort.log, limit 128
>
> If it matters, the sniffing interface is a Broadcomm Gig nic.
> ifconfig bge0
> bge0:
> flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> mtu
> 1500
>          options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>          [I've removed the bits that reveal the MAC address]
>          media: Ethernet autoselect (1000baseTX <full-duplex>)
>          status: active
>
> top -o size shows snort as the number one process (in terms of memory
> use), and it keeps growing until swap is completely exhausted.
>
> Is there a way to limit the amount of swap space snort will use?  Is
> this a bug in the program?
>
> --
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>




More information about the Snort-users mailing list