[Snort-users] Fwd: Snort 2.9.6.0 memory leak?

Mirek Suliba msuliba at ...11827...
Fri Feb 28 10:25:01 EST 2014


I'm using default setting from VRT supplied snort.conf:

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \

It is possible to tell or at list estimate what maximum memory usage in
this default configuration will be?

Thank you,

  - Mirek



On Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica at ...589...> wrote:

>  This depends on your snort configuration. You can get the upper bound by
> adding up all memcap values for (frag3, stream5, all preprocessors etc).
>  In addition,  Max_*tcp and Max_udp will also add up the memory on top of
> that.  Normally, snort might use up to 1 G memory to stabilize. However, I
> have seen it reaches 1.5 G when max_*tcp or max_udp is large. You can
> change those two values to get a smaller upper bound.
>
>  *Best,*
> *Hui.  *
>
>   From: Mirek Suliba <msuliba at ...11827...>
> Date: Thursday, February 27, 2014 at 8:37 PM
> To: waldo kitty <wkitty42 at ...14940...>
>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?
>
>    I'm not concern about free memory but about rate how fast and
> constant  amount of memory used by Snort were growing. It was about 70MB
> per hour. I didn't want to get to situation when system started to be our
> of memory. Any suggestion at what level I should expect Snort memory usage
> to stabilize? Is that any "hard" limit for this?
>
>  Thank you,
>
>    - Mirek
>
>
>
> On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...>wrote:
>
>> On 2/27/2014 5:32 PM, Mirek Suliba wrote:
>> > Constant growth of memory usage looks a little bit scary but I hope
>> that you are
>> > right that it will stop at some point. I will run it for a longer
>> period of time
>> > to check.
>>
>>  is this a *nix box? if yes, *nix will properly use memory to the
>> fullest... it
>> is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on
>> the
>> other hand, have been much different over the years... using all available
>> memory is not a bad thing... it is, in fact, a very good thing... as long
>> as it
>> doesn't keep growing beyond what is truly needed ;)
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>>        Please keep mailing list traffic on the list unless
>>        private contact is specifically requested and granted.
>>
>>
>> ------------------------------------------------------------------------------
>> Flow-based real-time traffic analytics software. Cisco certified tool.
>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>> Customize your own dashboards, set traffic alerts and generate reports.
>> Network behavioral analysis & security monitoring. All-in-one tool.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/8d1d5776/attachment.html>


More information about the Snort-users mailing list