[Snort-users] Fwd: Snort memory leak?

Hui Cao (huica) huica at ...589...
Fri Feb 28 07:08:43 EST 2014

This depends on your snort configuration. You can get the upper bound by adding up all memcap values for (frag3, stream5, all preprocessors etc).  In addition,  Max_tcp and Max_udp will also add up the memory on top of that.  Normally, snort might use up to 1 G memory to stabilize. However, I have seen it reaches 1.5 G when max_tcp or max_udp is large. You can change those two values to get a smaller upper bound.


From: Mirek Suliba <msuliba at ...11827...<mailto:msuliba at ...11827...>>
Date: Thursday, February 27, 2014 at 8:37 PM
To: waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>>
Cc: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: Re: [Snort-users] Fwd: Snort memory leak?

I'm not concern about free memory but about rate how fast and constant  amount of memory used by Snort were growing. It was about 70MB per hour. I didn't want to get to situation when system started to be our of memory. Any suggestion at what level I should expect Snort memory usage to stabilize? Is that any "hard" limit for this?

Thank you,

  - Mirek

On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 2/27/2014 5:32 PM, Mirek Suliba wrote:
> Constant growth of memory usage looks a little bit scary but I hope that you are
> right that it will stop at some point. I will run it for a longer period of time
> to check.

is this a *nix box? if yes, *nix will properly use memory to the fullest... it
is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on the
other hand, have been much different over the years... using all available
memory is not a bad thing... it is, in fact, a very good thing... as long as it
doesn't keep growing beyond what is truly needed ;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/d2727171/attachment.html>

More information about the Snort-users mailing list