[Fwd: [Snort-users] snort-2.6rc1 using a lot of memory]

Steven Sturges steve.sturges at ...1935...
Wed May 10 14:43:38 EDT 2006


Nerijus--

As noted in the RELEASE.NOTES, there was a change in the
default pattern matching engine from Wu-Manber to standard
Aho-Corasick which is faster but consumes more memory.

This effectively replaced an implicit config of

config detection: search-method mwm

with

config detection: search-method ac

The Aho-Corasick implementation in snort has a few different
memory models, standard, full, banded, sparse, and sparse
banded.  The sparse and spare-banded ones consume much less
memory... To use them, add a snort.conf line, as desired,
for example.  Wu-Manber is being deprecated in the next
release.

config detection: search-method ac-sparsebands

There is also the lowmem method, which is slow, but uses
very little memory.

Cheers.
-steve

>   While running a test instance of snort-2.6rc1 (and the same was with
> 2.6beta) on Linux, noticed that it is very memory hungry. At the
> moment it's 865Mb in resident size with almost all preprocessors
> enabled and almost all VRT, community and bleeding rules. Is that
> normal and we should expect that 2.6 series will demand that much RAM?
> Of course, with this kind of setup one can expect that snort will
> consume a bit bigger amount of RAM, but not in such numbers. For
> example, 2.4.4 running with the same config (as much as it is
> possible, taking into account the differences between 2.4 and 2.6
> series) is 125Mb in resident size. That's nearly 7 times less.
> 
>   If any of the developers are interested in my config -- just tell me. :)




More information about the Snort-users mailing list