[Snort-users] Memory leak in snort?

snort user snort.user at ...11827...
Tue Jun 6 17:15:50 EDT 2006


I take it back.
I meant "that might be one possible place" and not "that might be only
possible place"



On 6/6/06, snort user <snort.user at ...11827...> wrote:
> I am guessing you must have stream4 preprocessor turned on.
> If yes, that might be only possible place where memory is being eaten up.
>
>
>
> On 6/6/06, Paul Schmehl <pauls at ...6838...> wrote:
> > We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and
> > we're having a problem  that appears to be caused by snort.  As time
> > passes, more and more of the swap space is used until swap is completely
> > exhausted.  This machine has 2GB of real memory and 6GB of swap space,
> > yet swap is being steadily exhausted.
> >
> > If we stop snort, the swap space usage drops to almost nil.  After we
> > start snort again, swap usage steadily climbs until it's exhausted again.
> >
> > The odd thing is, we're running two instances of snort on this box.  One
> > using the "standard" set of rules tweaked for our network, and a second
> > with a handful of custom rules that we use for looking at internal
> > stuff.  The other process doesn't eat up memory at all.
> >
> > I've never seen this problem with snort before.  Does snort have a
> > problem with a dual CPU architecture or threading?
> >
> > System info:
> >
> > uname -a
> > FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu
> > Mar 30 19:25:18 CST 2006
> > root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL  amd64
> >
> > from dmesg:
> > CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
> >    Origin = "AuthenticAMD"  Id = 0xf5a  Stepping = 10
> >
> > Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
> >    AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
> > real memory  = 2146893824 (2047 MB)
> > avail memory = 2065797120 (1970 MB)
> > ACPI APIC Table: <PTLTD          APIC  >
> > FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> >   cpu0 (BSP): APIC ID:  0
> >   cpu1 (AP): APIC ID:  1
> >
> >   snort -V
> >
> >     ,,_     -*> Snort! <*-
> >    o"  )~   Version 2.4.4 (Build 28) FreeBSD
> >     ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/team.html
> >             (C) Copyright 1998-2005 Sourcefire Inc., et al.
> >
> > grep output /usr/local/etc/snort/snort.conf | grep -v "#"
> > output log_unified: filename snort.log, limit 128
> >
> > If it matters, the sniffing interface is a Broadcomm Gig nic.
> > ifconfig bge0
> > bge0:
> > flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> mtu
> > 1500
> >          options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
> >          [I've removed the bits that reveal the MAC address]
> >          media: Ethernet autoselect (1000baseTX <full-duplex>)
> >          status: active
> >
> > top -o size shows snort as the number one process (in terms of memory
> > use), and it keeps growing until swap is completely exhausted.
> >
> > Is there a way to limit the amount of swap space snort will use?  Is
> > this a bug in the program?
> >
> > --
> > Paul Schmehl (pauls at ...6838...)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > http://www.utdallas.edu/ir/security/
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
>




More information about the Snort-users mailing list