[Snort-users] Fwd: Snort 2.9.6.0 memory leak?

Mirek Suliba msuliba at ...11827...
Fri Feb 28 16:02:06 EST 2014


Hui, it looks like Snort memory usage stabilized at 479MB. For last two
hours I don't see any change. Now I can check how Snort will behave on
other systems.

Thank you for your help,

  - Mirek



On Fri, Feb 28, 2014 at 10:00 AM, Hui cao <huica at ...589...> wrote:

>  It should be around 1G memory if you don't load lots of IPs in reputation
> Preprocessor. If you load lots of IPs, memory will reach to 1.5G because
> reputation memcap is 500M.
>
> Best,
> Hui.
>
> On 02/28/2014 10:25 AM, Mirek Suliba wrote:
>
>  I'm using default setting from VRT supplied snort.conf:
>
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 2, \
>    min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>
>  It is possible to tell or at list estimate what maximum memory usage in
> this default configuration will be?
>
>  Thank you,
>
>    - Mirek
>
>
>
> On Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica at ...589...> wrote:
>
>>  This depends on your snort configuration. You can get the upper bound
>> by adding up all memcap values for (frag3, stream5, all preprocessors etc).
>>  In addition,  Max_*tcp and Max_udp will also add up the memory on top
>> of that.  Normally, snort might use up to 1 G memory to stabilize.
>> However, I have seen it reaches 1.5 G when max_*tcp or max_udp is large.
>> You can change those two values to get a smaller upper bound.
>>
>>  *Best,*
>> *Hui.  *
>>
>>   From: Mirek Suliba <msuliba at ...11827...>
>> Date: Thursday, February 27, 2014 at 8:37 PM
>> To: waldo kitty <wkitty42 at ...14940...>
>>
>> Cc: "snort-users at lists.sourceforge.net" <
>> snort-users at lists.sourceforge.net>
>> Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?
>>
>>    I'm not concern about free memory but about rate how fast and
>> constant  amount of memory used by Snort were growing. It was about 70MB
>> per hour. I didn't want to get to situation when system started to be our
>> of memory. Any suggestion at what level I should expect Snort memory usage
>> to stabilize? Is that any "hard" limit for this?
>>
>>  Thank you,
>>
>>    - Mirek
>>
>>
>>
>> On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...>wrote:
>>
>>> On 2/27/2014 5:32 PM, Mirek Suliba wrote:
>>> > Constant growth of memory usage looks a little bit scary but I hope
>>> that you are
>>> > right that it will stop at some point. I will run it for a longer
>>> period of time
>>> > to check.
>>>
>>>  is this a *nix box? if yes, *nix will properly use memory to the
>>> fullest... it
>>> is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on
>>> the
>>> other hand, have been much different over the years... using all
>>> available
>>> memory is not a bad thing... it is, in fact, a very good thing... as
>>> long as it
>>> doesn't keep growing beyond what is truly needed ;)
>>>
>>> --
>>> NOTE: No off-list assistance is given without prior approval.
>>>        Please keep mailing list traffic on the list unless
>>>        private contact is specifically requested and granted.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Flow-based real-time traffic analytics software. Cisco certified tool.
>>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>>> Customize your own dashboards, set traffic alerts and generate reports.
>>> Network behavioral analysis & security monitoring. All-in-one tool.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/411a7fe1/attachment.html>


More information about the Snort-users mailing list