Snort mailing list archives
Re: Fwd: Snort 2.9.6.0 memory leak?
From: Hui cao <huica () cisco com>
Date: Fri, 28 Feb 2014 11:00:22 -0500
It should be around 1G memory if you don't load lots of IPs in reputation Preprocessor. If you load lots of IPs, memory will reach to 1.5G because reputation memcap is 500M.
Best, Hui. On 02/28/2014 10:25 AM, Mirek Suliba wrote:
I'm using default setting from VRT supplied snort.conf: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \overlap_limit 10, small_segments 3 bytes 150, timeout 180, \It is possible to tell or at list estimate what maximum memory usage in this default configuration will be?Thank you, - MirekOn Fri, Feb 28, 2014 at 6:08 AM, Hui Cao (huica) <huica () cisco com <mailto:huica () cisco com>> wrote:This depends on your snort configuration. You can get the upper bound by adding up all memcap values for (frag3, stream5, all preprocessors etc). In addition, Max_/tcp and Max_udp will also add up the memory on top of that. Normally, snort might use up to 1 G memory to stabilize. However, I have seen it reaches 1.5 G when max_/tcp or max_udp is large. You can change those two values to get a smaller upper bound. / / /Best,/ /Hui. / From: Mirek Suliba <msuliba () gmail com <mailto:msuliba () gmail com>> Date: Thursday, February 27, 2014 at 8:37 PM To: waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> Cc: "snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] Fwd: Snort 2.9.6.0 memory leak? I'm not concern about free memory but about rate how fast and constant amount of memory used by Snort were growing. It was about 70MB per hour. I didn't want to get to situation when system started to be our of memory. Any suggestion at what level I should expect Snort memory usage to stabilize? Is that any "hard" limit for this? Thank you, - Mirek On Thu, Feb 27, 2014 at 6:32 PM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 2/27/2014 5:32 PM, Mirek Suliba wrote: > Constant growth of memory usage looks a little bit scary but I hope that you are > right that it will stop at some point. I will run it for a longer period of time > to check. is this a *nix box? if yes, *nix will properly use memory to the fullest... it is quite normal to see a *nix box using 98% RAM... winwhatever boxen, on the other hand, have been much different over the years... using all available memory is not a bad thing... it is, in fact, a very good thing... as long as it doesn't keep growing beyond what is truly needed ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Hui Cao (huica) (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Hui Cao (huica) (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? waldo kitty (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Hui Cao (huica) (Feb 28)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 28)
- Re: Fwd: Snort 2.9.6.0 memory leak? Hui cao (Feb 28)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 28)
- Re: Fwd: Snort 2.9.6.0 memory leak? Mirek Suliba (Feb 27)
- Re: Fwd: Snort 2.9.6.0 memory leak? Hui Cao (huica) (Feb 27)