[Snort-users] Snort High Memory Usage

waldo kitty wkitty42 at ...14940...
Sat Jun 1 03:45:41 EDT 2013


On 5/31/2013 20:00, Joel Esler wrote:
> 2.9.x takes more memory than 2.8.x. It does much more. Kinda of a bad comparison.

true but i was only posting those to show the difference... not really as a 
comparison of the two versions...

> --
> *Mobile*
>
> On May 31, 2013, at 7:54 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>> On 5/31/2013 19:27, Josh Bitto wrote:
>>> I'm just doing a top on command line and looking at mem% for each snort pid
>>> that comes up for the sensors.
>>
>> i thought that was likely the case ;)
>>
>> what are the numbers under the VIRT and RES columns?
>>
>> can i assume that you are doing SHIFT-M in top to sort by most memory used?
>>
>>> We had Emerging threats and the original snort rules enabled. Took ET off and
>>> that took the memory down some, but I don't want to sacrifice that if I can
>>> help it.
>>
>> one box i'm looking at with 2.9.4.1 and only the default VRT rules set with no
>> rules commented out or added shows
>>
>> VIRT = 371m RES = 119m
>>
>> another box with 2.8.6.1 and only the ET set plus some (~15) local.rules with
>> some of the ET rules disabled from default shows
>>
>> VIRT = 199m RES = 175m
>>
>>
>>
>>> -----Original Message----- From: waldo kitty
>>> [mailto:wkitty42 at ...14940...] Sent: Friday, May 31, 2013 4:20 PM To:
>>> snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>>> Subject: Re: [Snort-users] Snort High
>>> Memory Usage
>>>
>>> On 5/31/2013 17:46, Josh Bitto wrote:
>>>> Currently I’m running 7 snort sensors on my pfsense firewall and each of
>>>> them is at 672 mb’s for using memory. Which seems really high. I believe I
>>>> read somewhere in documentation that the memory is usually around 200 mb’s.
>>>> Can anyone shed some light on this for me?
>>>
>>> how many rules do you have enabled?
>>>
>>> what tool are you using to view that memory consumption?
>>>
>>> what column are those figures listed under in that tool?



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list