Snort mailing list archives
Re: Re: Possible Evasion in Snort Multi Pattern Algorithm
From: Joel Esler <eslerj () gmail com>
Date: Wed, 13 Jul 2005 21:20:41 -0400
Follow-up to this being:Can a Soucefire person explain the different search methods and their impact?
Joel On Jul 13, 2005, at 6:58 PM, Zultan wrote:
Aho-Corasick is a CPU hog when Snort starts but it does settle down.However, it sure is a memory hog when running. I'm seeing a 3-5 fold increase in memory use. Here are some stats reported by top. This was a nighttime traffic load. Even during the day at a 50meg traffic load, the CPU rate typically stays below 10%, and the memory use stays less than 10%. These 2 machines are Dell 2650s, 2x3Gig HT CPU, 2Gig RAM, running Phil Wood's libpcap.Here's the line from top when it was CPU was high, mem use was on target at thetime.PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 32392 snort 25 0 196M 131M 1024 R 24.8 6.5 0:07 2 snortAfter the CPU rate settled down, the mem use went way up and stayed there. PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 32392 snort 25 0 717M 651M 1048 S 1.0 32.4 0:53 3 snortHere's a line from a default config'd sensor. These are normal rates for nighttime. PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 2705 snort 25 0 206M 140M 1072 S 1.0 7.0 2:17 1 snortAlso, I've got 1 sensor that's memory chalanged, only 512m. He's listens to an old T1 and is sitting at >70% mem use, and using 300 Meg of swap. This only under a traffic load of a few hundred K. Any other load increase and he'll be thrashing swap. That's unacceptable.Will we see a reduction in memory use by Aho-Corasick in version 2.4? Zultan -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -------------------------------------------------------This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP,AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible Evasion in Snort Multi Pattern Algorithm bmc (Jul 12)
- <Possible follow-ups>
- Re: Possible Evasion in Snort Multi Pattern Algorithm Zultan (Jul 13)
- Re: Re: Possible Evasion in Snort Multi Pattern Algorithm Joel Esler (Jul 13)
- Re: Re: Possible Evasion in Snort Multi Pattern Algorithm Jason (Jul 13)
- Re: Re: Possible Evasion in Snort Multi Pattern Algorithm Joel Esler (Jul 13)