Re: Memory "Leakage" Snort 2.2.0 - Windows?

[Jeremy Hewlett <jh () sourcefire com>]

On Mon, Dec 06, John Steele wrote:
>    Has  anyone  experienced significant memory "leakage" with snort 2.2.0
>    under  Windows  2000  Server?  

I don't think this has much to do with Windows (more below).

>    We installed 2.2 on a 2000 machine last
>    week  and  have  been  having  a  number of shutdowns where the system
>    reports  that  there  is  no memory available for processes, including
>    user  logons. (We have been running Snort 1.8 under Windows NT 4.0 for
>    some time now without a problem)

Snort 1.8 was still considered a lightweight IDS. With the 2.0 revamp,
Snort is now considered commercial-grade. These sorts of changes will
inevitably require more memory.

A couple of big items that would suck up large amounts of memory are
stream4 and the detection engine. If memory is an issue, which it
appears so, you should try setting a memcap on stream4, and using
the 'lowmem' detection engine. These are documented in the default
snort.conf.

You may also want to tune other preprocessors with memcaps, prune
unneeded rules, etc.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users