[Snort-users] Fwd: Snort 126.96.36.199 memory leak?
msuliba at ...11827...
Fri Feb 28 16:02:06 EST 2014
Hui, it looks like Snort memory usage stabilized at 479MB. For last two
hours I don't see any change. Now I can check how Snort will behave on
Thank you for your help,
On Fri, Feb 28, 2014 at 10:00 AM, Hui cao <huica at ...589...> wrote:
> It should be around 1G memory if you don't load lots of IPs in reputation
> Preprocessor. If you load lots of IPs, memory will reach to 1.5G because
> reputation memcap is 500M.
> On 02/28/2014 10:25 AM, Mirek Suliba wrote:
> I'm using default setting from VRT supplied snort.conf:
> preprocessor stream5_global: track_tcp yes, \
> track_udp yes, \
> track_icmp no, \
> max_tcp 262144, \
> max_udp 131072, \
> max_active_responses 2, \
> min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
> overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
> It is possible to tell or at list estimate what maximum memory usage in
> this default configuration will be?
> Thank you,
> - Mirek
> On Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica at ...589...> wrote:
>> This depends on your snort configuration. You can get the upper bound
>> by adding up all memcap values for (frag3, stream5, all preprocessors etc).
>> In addition, Max_*tcp and Max_udp will also add up the memory on top
>> of that. Normally, snort might use up to 1 G memory to stabilize.
>> However, I have seen it reaches 1.5 G when max_*tcp or max_udp is large.
>> You can change those two values to get a smaller upper bound.
>> *Hui. *
>> From: Mirek Suliba <msuliba at ...11827...>
>> Date: Thursday, February 27, 2014 at 8:37 PM
>> To: waldo kitty <wkitty42 at ...14940...>
>> Cc: "snort-users at lists.sourceforge.net" <
>> snort-users at lists.sourceforge.net>
>> Subject: Re: [Snort-users] Fwd: Snort 188.8.131.52 memory leak?
>> I'm not concern about free memory but about rate how fast and
>> constant amount of memory used by Snort were growing. It was about 70MB
>> per hour. I didn't want to get to situation when system started to be our
>> of memory. Any suggestion at what level I should expect Snort memory usage
>> to stabilize? Is that any "hard" limit for this?
>> Thank you,
>> - Mirek
>> On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 at ...14940...>wrote:
>>> On 2/27/2014 5:32 PM, Mirek Suliba wrote:
>>> > Constant growth of memory usage looks a little bit scary but I hope
>>> that you are
>>> > right that it will stop at some point. I will run it for a longer
>>> period of time
>>> > to check.
>>> is this a *nix box? if yes, *nix will properly use memory to the
>>> fullest... it
>>> is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on
>>> other hand, have been much different over the years... using all
>>> memory is not a bad thing... it is, in fact, a very good thing... as
>>> long as it
>>> doesn't keep growing beyond what is truly needed ;)
>>> NOTE: No off-list assistance is given without prior approval.
>>> Please keep mailing list traffic on the list unless
>>> private contact is specifically requested and granted.
>>> Flow-based real-time traffic analytics software. Cisco certified tool.
>>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>>> Customize your own dashboards, set traffic alerts and generate reports.
>>> Network behavioral analysis & security monitoring. All-in-one tool.
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> Snort-users list archive:
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users