[Snort-users] Snort High Memory Usage

waldo kitty wkitty42 at ...14940...
Sat Jun 1 03:45:41 EDT 2013

On 5/31/2013 20:00, Joel Esler wrote:
> 2.9.x takes more memory than 2.8.x. It does much more. Kinda of a bad comparison.

true but i was only posting those to show the difference... not really as a 
comparison of the two versions...

> --
> *Mobile*
> On May 31, 2013, at 7:54 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>> On 5/31/2013 19:27, Josh Bitto wrote:
>>> I'm just doing a top on command line and looking at mem% for each snort pid
>>> that comes up for the sensors.
>> i thought that was likely the case ;)
>> what are the numbers under the VIRT and RES columns?
>> can i assume that you are doing SHIFT-M in top to sort by most memory used?
>>> We had Emerging threats and the original snort rules enabled. Took ET off and
>>> that took the memory down some, but I don't want to sacrifice that if I can
>>> help it.
>> one box i'm looking at with and only the default VRT rules set with no
>> rules commented out or added shows
>> VIRT = 371m RES = 119m
>> another box with and only the ET set plus some (~15) local.rules with
>> some of the ET rules disabled from default shows
>> VIRT = 199m RES = 175m
>>> -----Original Message----- From: waldo kitty
>>> [mailto:wkitty42 at ...14940...] Sent: Friday, May 31, 2013 4:20 PM To:
>>> snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>>> Subject: Re: [Snort-users] Snort High
>>> Memory Usage
>>> On 5/31/2013 17:46, Josh Bitto wrote:
>>>> Currently I’m running 7 snort sensors on my pfsense firewall and each of
>>>> them is at 672 mb’s for using memory. Which seems really high. I believe I
>>>> read somewhere in documentation that the memory is usually around 200 mb’s.
>>>> Can anyone shed some light on this for me?
>>> how many rules do you have enabled?
>>> what tool are you using to view that memory consumption?
>>> what column are those figures listed under in that tool?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list