Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort for Windows Memory Climbing

From: "Eric Knight" <eric () swordsoft com>
Date: Sun, 6 Jun 2004 11:09:58 -0600
Greetings,

I've been working on a distributed IDS project using Snort (Windows compile), and I came across a bit of  a snag. 
Although I don't know technically how serious this is, e.g., I'm not calling this is a denial or service or anything 
since I couldn't reproduce any crashing or whatnot, so I thought maybe the problem was in my approach but not in Snort.

First, the command line arguments I'm using are:

snort -l /assigned/tmp/ -c /snort/etc/snort.conf -N -q -A console -v

Verbose output, dumping all information to the console, logging disabled.  The point of the dump is to keep as little 
data as possible from touching the drives until they are processed by my wrapper.  That way stuff like portscans, DDoS 
and general events that happen hundreds of thousands of times can be simplified before writing and IPS activities can 
be activated after an event gets "reclassified" to a higher level.

So, in short: dump to screen output -> captured by buffered reader -> processed -> kept in memory for awhile -> dumped 
periodically.

What is surprising me, however, is that Snort is the application that's significantly growing in memory use.  It 
started off using about 16 megs of memory, and eventually grew to 44 megs before it started using swap.  What I'm doing 
is fairly simple -- running nmap against the host over and over and over with the following option:

nmap -p 1-65534 192.168.0.100

Also, there's a constant steam of "Malformed UDP packets" that come across the net due to a cheap broadband router I've 
got installed -- about 1 generated per second (although they come across as being generated 5 every 5 seconds in a 
lump.)

It took about 350,000 alerts to make it reach this level, but I'm just wondering if there's something I can do to make 
Snort flush or garbage collect, or not use as much memory or if this is, indeed, a memory leak somewhere in the system. 
 Also, and might as well ask, if this is standard behavior for Snort to grow in size as its being used intensely.

Take care,

Eric
Previous By Date Next
Previous By Thread Next

Current thread: