Re: Fwd: Snort 2.9.6.0 memory leak?

["Hui Cao (huica)" <huica () cisco com>]

This depends on your snort configuration. You can get the upper bound by adding up all memcap values for (frag3, 
stream5, all preprocessors etc).  In addition,  Max_tcp and Max_udp will also add up the memory on top of that.  
Normally, snort might use up to 1 G memory to stabilize. However, I have seen it reaches 1.5 G when max_tcp or max_udp 
is large. You can change those two values to get a smaller upper bound.

Best,
Hui.

From: Mirek Suliba <msuliba () gmail com<mailto:msuliba () gmail com>>
Date: Thursday, February 27, 2014 at 8:37 PM
To: waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>>
Cc: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak?

I'm not concern about free memory but about rate how fast and constant  amount of memory used by Snort were growing. It 
was about 70MB per hour. I didn't want to get to situation when system started to be our of memory. Any suggestion at 
what level I should expect Snort memory usage to stabilize? Is that any "hard" limit for this?

Thank you,

  - Mirek



On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 2/27/2014 5:32 PM, Mirek Suliba wrote:
> Constant growth of memory usage looks a little bit scary but I hope that you are
> right that it will stop at some point. I will run it for a longer period of time
> to check.

is this a *nix box? if yes, *nix will properly use memory to the fullest... it
is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on the
other hand, have been much different over the years... using all available
memory is not a bad thing... it is, in fact, a very good thing... as long as it
doesn't keep growing beyond what is truly needed ;)

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!