Re: Snort v2.6.0 and Excessive Memory

[Zakai Kinan <titanyen2000 () yahoo com>]

I use this configuration option "config detection:
search-method lowmem".  I had the same problem before
using it.  Keep in mind that I have a small network.

ZK

--- Ron Jenkins <rjenkins () dibr net> wrote:

> I had to back off from v2.6.0, because it was not
> detect a high
> percentage of alerts.
>
>  
>
> With 1GB of RAM and Snort v2.4.5 we still have 300MB
> free, but with
> v2.6.0 there is only 70MB free.
>
>  
>
> Below is the config detection setting being used;
> config detection:
> search-method ac-sparsebands
>
>  
>
> Does anyone have any ideas? Below is the
> configuration being used and
> the load line.
>
>  
>
> Thanks...
>
>  
>
>  
>
> /usr/local/bin/snort -i nic0 -e -d -D -c
> /etc/snort/snort.conf -l
> /var/log/snort
>
>  
>
>  
>
>  
>
> #--------------------------------------------------
>
> #   http://www.snort.org     Snort 2.6.0 config file
>
> #     Contact: snort-sigs () lists sourceforge net
>
> #--------------------------------------------------
>
> # $Id$
>
> #
>
> ###################################################
>
> # This file contains a sample snort configuration. 
>
> # You can take the following steps to create your
> own custom
> configuration:
>
> #
>
> #  1) Set the variables for your network
>
> #  2) Configure dynamic loaded libraries
>
> #  3) Configure preprocessors
>
> #  4) Configure output plugins
>
> #  5) Add any runtime config directives
>
> #  6) Customize your rule set
>
> #
>
> ###################################################
>
> # Step #1: Set the network variables:
>
> #
>
> # You must change the following variables to reflect
> your local network.
> The
>
> # variable is currently setup for an RFC 1918
> address space.
>
> #
>
> # You can specify it explicitly as: 
>
> #
>
> # var HOME_NET 10.1.1.0/24
>
> #
>
> # or use global variable $<interfacename>_ADDRESS
> which will be always
>
> # initialized to IP address and netmask of the
> network interface which
> you run
>
> # snort at.  Under Windows, this must be specified
> as
>
> # $(<interfacename>_ADDRESS), such as:
>
> #
$(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
>
> # var HOME_NET $eth0_ADDRESS
>
> #
>
> # You can specify lists of IP addresses for HOME_NET
>
> # by separating the IPs with commas like this:
>
> #
>
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
>
> #
>
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
>
> #
>
> # or you can specify the variable to be any IP
> address
>
> # like this:
>
>  
>
> var HOME_NET any
>
>  
>
> # Set up the external network addresses as well.  A
> good start may be
> "any"
>
> var EXTERNAL_NET any
>
>  
>
> # Configure your server lists.  This allows snort to
> only look for
> attacks to
>
> # systems that have a service up.  Why look for HTTP
> attacks if you are
> not
>
> # running a web server?  This allows quick filtering
> based on IP
> addresses
>
> # These configurations MUST follow the same
> configuration scheme as
> defined
>
> # above for $HOME_NET.  
>
>  
>
> # List of DNS servers on your network 
>
> var DNS_SERVERS $HOME_NET
>
>  
>
> # List of SMTP servers on your network
>
> var SMTP_SERVERS $HOME_NET
>
>  
>
> # List of web servers on your network
>
> var HTTP_SERVERS $HOME_NET
>
>  
>
> # List of sql servers on your network 
>
> var SQL_SERVERS $HOME_NET
>
>  
>
> # List of telnet servers on your network
>
> var TELNET_SERVERS $HOME_NET
=== message truncated ===> Using Tomcat but need to do
more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users