Re: mem leak in snort-1.8-beta5 from 31-May CVS

[Martin Roesch <roesch () sourcefire com>]

Stream is (going to be) deprecated, use stream2 for the time being.

    -Marty

Jason Haar wrote:
> I'm running snort under Redhat 6.2 on two different boxes. One with config
> based on that from www.snort.org, and another from Max's vision18.conf.
>
> Basically I run out of memory on them...
>
> I'm just about to kill for the second time in two days snort as it hits 70Mb
> of RAM.
>
> USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
> snort     2435  1.2  3.2 71924 12360 ?       S    08:59   5:07
>  /usr/bin/snort.cvs  -u snort -g snort -e -d -a -o -I -i eth1 -c
>  /etc/snort/site.conf -D
>
> I have the following config option set:
>
> output alert_syslog: LOG_AUTH LOG_ALERT
> output database: log, mysql,
> preprocessor defrag
> preprocessor stream: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
> preprocessor http_decode: 80 2301
> preprocessor portscan: $INTERNAL 5 5 portscan
>
> My guess there's a leak in stream still?
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users