[Snort-users] Fwd: Snort 2.9.6.0 memory leak?

Hui cao huica at ...589...
Fri Feb 28 11:00:22 EST 2014


It should be around 1G memory if you don't load lots of IPs in 
reputation Preprocessor. If you load lots of IPs, memory will reach to 
1.5G because reputation memcap is 500M.

Best,
Hui.
On 02/28/2014 10:25 AM, Mirek Suliba wrote:
> I'm using default setting from VRT supplied snort.conf:
>
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 2, \
>    min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, 
> require_3whs 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>
> It is possible to tell or at list estimate what maximum memory usage 
> in this default configuration will be?
>
> Thank you,
>
>   - Mirek
>
>
>
> On Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica at ...589... 
> <mailto:huica at ...589...>> wrote:
>
>     This depends on your snort configuration. You can get the upper
>     bound by adding up all memcap values for (frag3, stream5, all
>     preprocessors etc).  In addition,  Max_/tcp and Max_udp will also
>     add up the memory on top of that.  Normally, snort might use up to
>     1 G memory to stabilize. However, I have seen it reaches 1.5 G
>     when max_/tcp or max_udp is large. You can change those two values
>     to get a smaller upper bound.
>     /
>     /
>     /Best,/
>     /Hui. /
>
>     From: Mirek Suliba <msuliba at ...11827... <mailto:msuliba at ...11827...>>
>     Date: Thursday, February 27, 2014 at 8:37 PM
>     To: waldo kitty <wkitty42 at ...14940...
>     <mailto:wkitty42 at ...14940...>>
>
>     Cc: "snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>"
>     <snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>>
>     Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?
>
>     I'm not concern about free memory but about rate how fast and
>     constant  amount of memory used by Snort were growing. It was
>     about 70MB per hour. I didn't want to get to situation when system
>     started to be our of memory. Any suggestion at what level I should
>     expect Snort memory usage to stabilize? Is that any "hard" limit
>     for this?
>
>     Thank you,
>
>       - Mirek
>
>
>
>     On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty
>     <wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>> wrote:
>
>         On 2/27/2014 5:32 PM, Mirek Suliba wrote:
>         > Constant growth of memory usage looks a little bit scary but
>         I hope that you are
>         > right that it will stop at some point. I will run it for a
>         longer period of time
>         > to check.
>
>         is this a *nix box? if yes, *nix will properly use memory to
>         the fullest... it
>         is quite normal to see a *nix box using 98% RAM... winwhatever
>         boxen, on the
>         other hand, have been much different over the years... using
>         all available
>         memory is not a bad thing... it is, in fact, a very good
>         thing... as long as it
>         doesn't keep growing beyond what is truly needed ;)
>
>         --
>         NOTE: No off-list assistance is given without prior approval.
>                Please keep mailing list traffic on the list unless
>                private contact is specifically requested and granted.
>
>         ------------------------------------------------------------------------------
>         Flow-based real-time traffic analytics software. Cisco
>         certified tool.
>         Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow
>         Analyzer
>         Customize your own dashboards, set traffic alerts and generate
>         reports.
>         Network behavioral analysis & security monitoring. All-in-one
>         tool.
>         http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         <mailto:Snort-users at lists.sourceforge.net>
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/2b3ef2fb/attachment.html>


More information about the Snort-users mailing list