[Snort-users] Memory leak in snort?
snort.user at ...11827...
Tue Jun 6 17:15:50 EDT 2006
I take it back.
I meant "that might be one possible place" and not "that might be only
On 6/6/06, snort user <snort.user at ...11827...> wrote:
> I am guessing you must have stream4 preprocessor turned on.
> If yes, that might be only possible place where memory is being eaten up.
> On 6/6/06, Paul Schmehl <pauls at ...6838...> wrote:
> > We're running snort on a dual processor (AMD) box (FreeBSD 6.0), and
> > we're having a problem that appears to be caused by snort. As time
> > passes, more and more of the swap space is used until swap is completely
> > exhausted. This machine has 2GB of real memory and 6GB of swap space,
> > yet swap is being steadily exhausted.
> > If we stop snort, the swap space usage drops to almost nil. After we
> > start snort again, swap usage steadily climbs until it's exhausted again.
> > The odd thing is, we're running two instances of snort on this box. One
> > using the "standard" set of rules tweaked for our network, and a second
> > with a handful of custom rules that we use for looking at internal
> > stuff. The other process doesn't eat up memory at all.
> > I've never seen this problem with snort before. Does snort have a
> > problem with a dual CPU architecture or threading?
> > System info:
> > uname -a
> > FreeBSD hostname.utdallas.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu
> > Mar 30 19:25:18 CST 2006
> > root at ...13846...:/usr/obj/usr/src/sys/SMPKERNEL amd64
> > from dmesg:
> > CPU: AMD Opteron(tm) Processor 244 (1793.88-MHz K8-class CPU)
> > Origin = "AuthenticAMD" Id = 0xf5a Stepping = 10
> > Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
> > AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
> > real memory = 2146893824 (2047 MB)
> > avail memory = 2065797120 (1970 MB)
> > ACPI APIC Table: <PTLTD APIC >
> > FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> > cpu0 (BSP): APIC ID: 0
> > cpu1 (AP): APIC ID: 1
> > snort -V
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.4.4 (Build 28) FreeBSD
> > '''' By Martin Roesch & The Snort Team:
> > http://www.snort.org/team.html
> > (C) Copyright 1998-2005 Sourcefire Inc., et al.
> > grep output /usr/local/etc/snort/snort.conf | grep -v "#"
> > output log_unified: filename snort.log, limit 128
> > If it matters, the sniffing interface is a Broadcomm Gig nic.
> > ifconfig bge0
> > bge0:
> > flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> mtu
> > 1500
> > options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
> > [I've removed the bits that reveal the MAC address]
> > media: Ethernet autoselect (1000baseTX <full-duplex>)
> > status: active
> > top -o size shows snort as the number one process (in terms of memory
> > use), and it keeps growing until swap is completely exhausted.
> > Is there a way to limit the amount of swap space snort will use? Is
> > this a bug in the program?
> > --
> > Paul Schmehl (pauls at ...6838...)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > http://www.utdallas.edu/ir/security/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
More information about the Snort-users