Snort mailing list archives

Re: Snort and memory

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 28 Aug 2001 20:52:19 -0400

Stop running the database output plugin and see if it continues to leak
memory.  You can log to a binary file with the -b switch and
periodically read the log file into the database by running it back thru
Snort with the -r switch.  This could work as a temporary solution until
we get Barnyard working.

     -Marty

Scott Nursten wrote:


Well, here's mine:

Snort 1.8.1 with the only output plugin as:

snort.conf:output database: log, mysql, user=blah dbname=blahdb host=localhost

and

 14:51:57 up 14 days, 23:08,  1 user,  load average: 0.36, 0.29, 0.27
60 processes: 59 sleeping, 1 running, 0 zombie, 0 stopped
CPU states:  15.0% user,   2.4% system,   0.0% nice,  82.6% idle
Mem:   1157276K total,  1151212K used,     6064K free,     1056K buffers
Swap:  2097136K total,   550872K used,  1546264K free,    10376K cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
 8934 snort     15   0 1107M 719M 13304 S    31.8 63.6 303:54 snort
 4144 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:00 mysqld
 4146 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:13 mysqld
 4147 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:05 mysqld
 4148 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:00 mysqld
 8935 mysql      9   0 18864 7696  7096 S     0.3  0.6   0:07 mysqld
18360 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:01 mysqld
18363 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:03 mysqld
21029 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:00 mysqld
21355 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:00 mysqld
21358 mysql      9   0 18864 7696  7096 S     0.0  0.6   0:00 mysqld
18361 nobody     9   0  3320 3232  1864 S     0.0  0.2   0:00 httpd
18356 nobody     9   0  3304 3220  1852 S     0.0  0.2   0:00 httpd
18357 nobody     9   0  3304 3220  1884 S     0.0  0.2   0:00 httpd
18359 nobody     9   0  1484 1212  1192 S     0.0  0.1   0:00 httpd
18362 nobody     9   0  1452 1184  1152 S     0.0  0.1   0:00 httpd
18311 root       9   0  1128 1004   928 S     0.0  0.0   0:00 bash
21689 root      13   0  1000 1000   780 R     1.5  0.0   0:00 top
18358 nobody     9   0  2636  608   200 S     0.0  0.0   0:00 httpd

--------------------------------------------------------------------------

Processes die fairly regularly with all mem being used. Any ideas?

Rgds,

Scott

Martin Roesch wrote:


Marcin Zurakowski wrote:


On Wed, 22 Aug 2001, Martin Roesch wrote:

What output options are you using?


I set something like this:
# LOGING
output alert_syslog: LOG_LOCAL6

And in my syslog.conf:
local6.*                                                /var/log/snort.log

I've just discovered, that crond died...It has never happened before
installation snort.


Well, Snort doesn't have any interaction with cron, but if your system
is running out of memory that could be a problem.  I don't know why
Snort is using so much memory, we pretty much eliminated all the memory
leaks in the standard loadout.  Having just looked at the default
vision18.conf file from whitehats.com, I see that the default
preprocessor load is out of date, that's probably the problem.  For the
time being, I'd suggest using the snort.conf file that comes with Snort,
and your logging setup.  If you do that and still see excessive memory
usage, let me know.

     -Marty

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

Scott Nursten - Systems Administrator
----------------------------------------------
ddi:   +44 (0) 1293 744 122
work:  +44 (0) 1293 402 040
fax:   +44 (0) 1293 402 050
email: scottn () streetsonline co uk
wwweb: http://www.streetsonline.co.uk
----------------------------------------------

                Any sufficiently advanced technology is indistinguishable from magic.
                                        Arthur C. Clarke

                Any technology distinguishable from magic is insufficiently advanced.
                         (Probably not) Arthur C. Clarke


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and memory Marcin Zurakowski (Aug 22)
- Re: Snort and memory John Sage (Aug 22)
- Re: Snort and memory Martin Roesch (Aug 22)
  - Re: Snort and memory Marcin Zurakowski (Aug 22)
    - Re: Snort and memory Martin Roesch (Aug 22)
    - Re: Snort and memory Scott Nursten (Aug 28)
    - Re: Snort and memory Martin Roesch (Aug 28)
  - Re: Snort and memory John Sage (Aug 22)
- <Possible follow-ups>
- RE: Snort and memory Mayers, Philip J (Aug 29)