[Snort-users] what is the difference in memory models (search-method lowmem) mean?

Jason Brvenik jasonb at ...1935...
Sun Sep 17 23:30:30 EDT 2006


Jason Haar wrote:
> I have been putting off upgrading our snort network from 2.4X to 2.6 for
> ages because we run a fairly full ruleset and I saw memory usage leap
> between the two versions.
> 
> e.g. I just tried out 2.6.0.2 and our snort installs hit 850MB RAM per
> process - owch! (under RHE4). This compares with 240MB under 2.4X
> 
> However, if I enable the line "config detection: search-method lowmem",
> memory utilization under 2.6 falls waaaaay down to <100MB.
> 
> Sounds too good to be true. What am I missing out on by doing such an
> action? And if this sort of memory usage is expected, is everyone just
> putting in 4G RAM to deal with this sort of thing?
> 
> Thanks
> 


Below is a cut and paste from a mail Marc Norton sent to the snort-devel
list. [0] It should make it more clear.

> In 2.6.0 we use the ac method, it is the fastest, but does consume more 
> memory and takes some initial resources to build the DFA it uses.  The 
> acs/ac-banded/and ac-sparsebands/mwm/lowmem methods each use less 
> memory, than the ac or ac-std methods.  However, we do not recommend mwm 
> as it poses some DOS opportunities with repeated patterns. The low mem 
> method is about 20% slower than the faster methods, but uses very little 
> memory and very little initial resources.  Of couse you can also revert 
> to the ac-std method that has been in use since 2.0 as well. It's 
> startup is about 3x faster than the other ac methods.
> 
> Memory usage most to least is:
> 
> ac-std
> ac
> ac-banded
> ac-sparsebands
> mwm
> acs
> lowmem
> 
> startup processing most to least is
> 
> most
> -----
> ac
> ac-banded
> ac-sparsebands
> acs
> 
> moderate
> ---------
> ac-std
> 
> very little
> ---------
> mwm
> lowmem
> 
> 


[0] - http://marc2.theaimsgroup.com/?l=snort-devel&m=115627559410302&w=3





More information about the Snort-users mailing list