[Snort-users] Snort is using a lot of memory

Anna Anna at sonru.com
Fri Sep 29 09:15:38 EDT 2017


I have only one snort.conf, which is located in /etc/snort

This is my command for starting snort —> ExecStart=/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

The problem started 15th of September when we upgraded Centos to 7.4.1708, server was restarted and we started getting notifications regarding Snort. Before that Snort was running few months without issues,

At the moment it is using 29-30% of Memory, I was expecting this behaviour when Snort started and run, but after few days it should stabilise (that happened when I installed it in June), I have two testing environments that Snort was running without issue, now both of the servers are using memory a lot

This is the chunk of snort.conf for stream5_global (we have a lot of those notifications from Snort)


preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
   track_icmp no, \
   memcap 500000000, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

Any steps to rectify this, will be great

Let me know what more, should I provide to diagnose the problem

Thank you

Anna

> On 19 Sep 2017, at 17:55, Joel Esler (jesler) <jesler at cisco.com> wrote:
> 
> Are you sure that you are referring to the correct snort.conf?
> 
> We need more information.
> 
> --
> Joel Esler | Talos: Manager | jesler at cisco.com <mailto:jesler at cisco.com>
> 
> 
> 
> 
> 
> 
>> On Sep 19, 2017, at 9:25 AM, Anna <Anna at sonru.com <mailto:Anna at sonru.com>> wrote:
>> 
>> 
>> 
>> Hi,
>> 
>> Snort: 2.9.9.0
>> OS: Centos 7
>> 
>> Recently Snort started to use a lot of memory, and it is constantly on 29-30% of usage, it did not happen before (even when Snort was using more memory at the beginning - it went down after an hour or two), the only change to the server was a Centos upgrade
>> 
>> I put the memcap in the snort.conf —> stream5: global and restarted snort, but the memory usage did not go down. It is as Snort is ignoring the config
>> 
>> Any help with this?
>> 
>> 
>> <Screen Shot 2017-09-19 at 14.15.49.png>
>> 
>> Thank you
>> 
>> ANNA
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170929/b7d6ef60/attachment.html>


More information about the Snort-users mailing list