[Snort-users] Fwd: Snort 126.96.36.199 memory leak?
msuliba at ...11827...
Fri Feb 28 10:25:01 EST 2014
I'm using default setting from VRT supplied snort.conf:
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
It is possible to tell or at list estimate what maximum memory usage in
this default configuration will be?
On Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica at ...589...> wrote:
> This depends on your snort configuration. You can get the upper bound by
> adding up all memcap values for (frag3, stream5, all preprocessors etc).
> In addition, Max_*tcp and Max_udp will also add up the memory on top of
> that. Normally, snort might use up to 1 G memory to stabilize. However, I
> have seen it reaches 1.5 G when max_*tcp or max_udp is large. You can
> change those two values to get a smaller upper bound.
> *Hui. *
> From: Mirek Suliba <msuliba at ...11827...>
> Date: Thursday, February 27, 2014 at 8:37 PM
> To: waldo kitty <wkitty42 at ...14940...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Fwd: Snort 188.8.131.52 memory leak?
> I'm not concern about free memory but about rate how fast and
> constant amount of memory used by Snort were growing. It was about 70MB
> per hour. I didn't want to get to situation when system started to be our
> of memory. Any suggestion at what level I should expect Snort memory usage
> to stabilize? Is that any "hard" limit for this?
> Thank you,
> - Mirek
> On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...>wrote:
>> On 2/27/2014 5:32 PM, Mirek Suliba wrote:
>> > Constant growth of memory usage looks a little bit scary but I hope
>> that you are
>> > right that it will stop at some point. I will run it for a longer
>> period of time
>> > to check.
>> is this a *nix box? if yes, *nix will properly use memory to the
>> fullest... it
>> is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on
>> other hand, have been much different over the years... using all available
>> memory is not a bad thing... it is, in fact, a very good thing... as long
>> as it
>> doesn't keep growing beyond what is truly needed ;)
>> NOTE: No off-list assistance is given without prior approval.
>> Please keep mailing list traffic on the list unless
>> private contact is specifically requested and granted.
>> Flow-based real-time traffic analytics software. Cisco certified tool.
>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>> Customize your own dashboards, set traffic alerts and generate reports.
>> Network behavioral analysis & security monitoring. All-in-one tool.
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users