Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible Evasion in Snort Multi Pattern Algorithm

From: "Zultan " <zultan () mad scientist com>
Date: Wed, 13 Jul 2005 22:58:35 +0000
Aho-Corasick is a CPU hog when Snort starts but it does settle down.

However, it sure is a memory hog when running.  I'm seeing a 3-5 fold increase in memory use. Here are some stats 
reported by top.  This was a nighttime traffic load.  Even during the day at a 50meg traffic load, the CPU rate 
typically stays below 10%, and the memory use stays less than 10%.  These 2 machines are Dell 2650s, 2x3Gig HT CPU, 
2Gig RAM, running Phil Wood's libpcap.

Here's the line from top when it was CPU was high, mem use was on target at the
time.
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
32392 snort     25   0  196M 131M  1024 R    24.8  6.5   0:07   2 snort


After the CPU rate settled down, the mem use went way up and stayed there.
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
32392 snort     25   0  717M 651M  1048 S     1.0 32.4   0:53   3 snort


Here's a line from a default config'd sensor.  These are normal rates for nighttime.
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
 2705 snort     25   0  206M 140M  1072 S     1.0  7.0   2:17   1 snort


Also, I've got 1 sensor that's memory chalanged, only 512m.  He's listens to an old T1 and is sitting at >70% mem use, 
and using 300 Meg of swap.  This only under a traffic load of a few hundred K.  Any other load increase and he'll be 
thrashing swap.  That's unacceptable.

Will we see a reduction in memory use by Aho-Corasick in version 2.4?

Zultan



-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: