Snort mailing list archives

Re: Snort and memory

From: John Sage <jsage () finchhaven com>
Date: Wed, 22 Aug 2001 02:44:33 -0700

Marcin:

On my firewall, Pentium 150, 96mb RAM, top, sort M (memory usage):

78 processes: 74 sleeping, 3 running, 0 zombie, 1 stopped
CPU states: 18.6% user,  4.9% system,  0.0% nice, 76.3% idle

Mem: 95516K av, 91872K used, 3644K free, 132804K shrd, 34620KbuffSwap: 52376K av, 10068K used, 42308K free 28380Kcached


  PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
  708 toot       0   0 10340 9088  8908 S       0  0.0  9.5   0:36 httpd
 1156 toot       0   0  4128 4028  1784 T       0  0.0  4.2   0:41 emacs
16444 toot       0   0  1372 1372   756 S       0  0.0  1.4   4:03 tcpdump
  722 toot       0   0  1364 1364  1168 S       0  0.0  1.4   0:00 xntpd
30094 toot       0   0  1220 1220   740 S       0  0.0  1.2   0:00 snort18
30280 toot       0   0   872  872   560 S       0  0.0  0.9   0:00 tcpdump
30503 toot       8   0   872  872   664 R       0  3.8  0.9   0:10 top
<snip>

Similar setup, somewhat: small LAN 10mb/s going outward through 56k ppplink..

Snort 1.8.1-beta4, restarted about 3 times daily as my ppp link goesdown and back up.


RHL 6.2 kernel 2.2.14-5.0

cat /proc/swaps:  52376 size  10056 used

How often does snort get restarted?

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Marcin Zurakowski wrote:

I've run snort on local network(ethernet - 10Mb/s and 2Mb/s gateway to
internet). When I run 'top' I get:

---------------------------------------------------------------------
CPU states: 15.6% user,  3.3% system,  0.0% nice, 80.9% idle
Mem:   160824K av,  158496K used,    2328K free,   27992K shrd,    3944K
buff
Swap:  128516K av,   59144K used,   69372K free                    9708K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
28156 snort     19   0  170M 113M   968 R       0 16.6 72.4 264:03 snort
31665 root       4   0   868  868   672 R       0  1.9  0.5   0:26 top
-----------------------------------------------------------------------

Is it normal that snort consumed 170MB memory??????????

Configuration:
- Pentium MMX 166MHz
- 160MB memory
- 128 MB swap
- network adapter: 3COM 905C
- RH 6.0, kernel 2.2.19 with openwall patch
- snort 1.8.1-RELEASE
- standart configuration from whitehats, internal network: class C




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and memory Marcin Zurakowski (Aug 22)
- Re: Snort and memory John Sage (Aug 22)
- Re: Snort and memory Martin Roesch (Aug 22)
  - Re: Snort and memory Marcin Zurakowski (Aug 22)
    - Re: Snort and memory Martin Roesch (Aug 22)
    - Re: Snort and memory Scott Nursten (Aug 28)
    - Re: Snort and memory Martin Roesch (Aug 28)
  - Re: Snort and memory John Sage (Aug 22)
- <Possible follow-ups>
- RE: Snort and memory Mayers, Philip J (Aug 29)