[Snort-users] Snort v2.6.0 and Excessive Memory

Zakai Kinan titanyen2000 at ...131...
Thu Jun 29 14:11:09 EDT 2006


I use this configuration option "config detection:
search-method lowmem".  I had the same problem before
using it.  Keep in mind that I have a small network.

ZK

--- Ron Jenkins <rjenkins at ...12829...> wrote:

> I had to back off from v2.6.0, because it was not
> detect a high
> percentage of alerts.
> 
>  
> 
> With 1GB of RAM and Snort v2.4.5 we still have 300MB
> free, but with
> v2.6.0 there is only 70MB free.
> 
>  
> 
> Below is the config detection setting being used;
> config detection:
> search-method ac-sparsebands
> 
>  
> 
> Does anyone have any ideas? Below is the
> configuration being used and
> the load line.
> 
>  
> 
> Thanks...
> 
>  
> 
>  
> 
> /usr/local/bin/snort -i nic0 -e -d -D -c
> /etc/snort/snort.conf -l
> /var/log/snort
> 
>  
> 
>  
> 
>  
> 
> #--------------------------------------------------
> 
> #   http://www.snort.org     Snort 2.6.0 config file
> 
> #     Contact: snort-sigs at lists.sourceforge.net
> 
> #--------------------------------------------------
> 
> # $Id$
> 
> #
> 
> ###################################################
> 
> # This file contains a sample snort configuration. 
> 
> # You can take the following steps to create your
> own custom
> configuration:
> 
> #
> 
> #  1) Set the variables for your network
> 
> #  2) Configure dynamic loaded libraries
> 
> #  3) Configure preprocessors
> 
> #  4) Configure output plugins
> 
> #  5) Add any runtime config directives
> 
> #  6) Customize your rule set
> 
> #
> 
> ###################################################
> 
> # Step #1: Set the network variables:
> 
> #
> 
> # You must change the following variables to reflect
> your local network.
> The
> 
> # variable is currently setup for an RFC 1918
> address space.
> 
> #
> 
> # You can specify it explicitly as: 
> 
> #
> 
> # var HOME_NET 10.1.1.0/24
> 
> #
> 
> # or use global variable $<interfacename>_ADDRESS
> which will be always
> 
> # initialized to IP address and netmask of the
> network interface which
> you run
> 
> # snort at.  Under Windows, this must be specified
> as
> 
> # $(<interfacename>_ADDRESS), such as:
> 
> #
>
$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> 
> #
> 
> # var HOME_NET $eth0_ADDRESS
> 
> #
> 
> # You can specify lists of IP addresses for HOME_NET
> 
> # by separating the IPs with commas like this:
> 
> #
> 
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> 
> #
> 
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> 
> #
> 
> # or you can specify the variable to be any IP
> address
> 
> # like this:
> 
>  
> 
> var HOME_NET any
> 
>  
> 
> # Set up the external network addresses as well.  A
> good start may be
> "any"
> 
> var EXTERNAL_NET any
> 
>  
> 
> # Configure your server lists.  This allows snort to
> only look for
> attacks to
> 
> # systems that have a service up.  Why look for HTTP
> attacks if you are
> not
> 
> # running a web server?  This allows quick filtering
> based on IP
> addresses
> 
> # These configurations MUST follow the same
> configuration scheme as
> defined
> 
> # above for $HOME_NET.  
> 
>  
> 
> # List of DNS servers on your network 
> 
> var DNS_SERVERS $HOME_NET
> 
>  
> 
> # List of SMTP servers on your network
> 
> var SMTP_SERVERS $HOME_NET
> 
>  
> 
> # List of web servers on your network
> 
> var HTTP_SERVERS $HOME_NET
> 
>  
> 
> # List of sql servers on your network 
> 
> var SQL_SERVERS $HOME_NET
> 
>  
> 
> # List of telnet servers on your network
> 
> var TELNET_SERVERS $HOME_NET
> 
> 
=== message truncated ===> Using Tomcat but need to do
more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list