[Snort-users] Fwd: Snort 2.9.6.0 memory leak?

Hui Cao (huica) huica at ...589...
Fri Feb 28 07:08:43 EST 2014


This depends on your snort configuration. You can get the upper bound by adding up all memcap values for (frag3, stream5, all preprocessors etc).  In addition,  Max_tcp and Max_udp will also add up the memory on top of that.  Normally, snort might use up to 1 G memory to stabilize. However, I have seen it reaches 1.5 G when max_tcp or max_udp is large. You can change those two values to get a smaller upper bound.

Best,
Hui.

From: Mirek Suliba <msuliba at ...11827...<mailto:msuliba at ...11827...>>
Date: Thursday, February 27, 2014 at 8:37 PM
To: waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?

I'm not concern about free memory but about rate how fast and constant  amount of memory used by Snort were growing. It was about 70MB per hour. I didn't want to get to situation when system started to be our of memory. Any suggestion at what level I should expect Snort memory usage to stabilize? Is that any "hard" limit for this?

Thank you,

  - Mirek



On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 2/27/2014 5:32 PM, Mirek Suliba wrote:
> Constant growth of memory usage looks a little bit scary but I hope that you are
> right that it will stop at some point. I will run it for a longer period of time
> to check.

is this a *nix box? if yes, *nix will properly use memory to the fullest... it
is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on the
other hand, have been much different over the years... using all available
memory is not a bad thing... it is, in fact, a very good thing... as long as it
doesn't keep growing beyond what is truly needed ;)

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/d2727171/attachment.html>


More information about the Snort-users mailing list