Potential memory leak/settings for memory conservation in 2.9.2.3/2.9.3_rc1?

[Jesse Bowling <jessebowling () gmail com>]

Hello,

While running snort 2.9.2.3 on modest hardware with PF_RING I've found that
after 1 - 3 hours the snort processes have used enough memory to cause
swapping, which in turn leads to iowait, which leads to additional system
time, which ends in a death spiral with snort and PF_RING dropping and
failing to analyze almost all traffic on a link averaging 200-400 MB/s of
traffic. This appears to also be the case with 2.9.3_rc1.

Some particulars are included below, but before the wall of text I wanted
to ask:

Is there a known memory leak in these version?

Are there snort.conf options I can/should tweak to limit the amount of
memory that snort uses on this limited resource machine?

What tools or techniques can I use to help profile the performance issue
and isolate it's source? I'm fairly certain the issue lies within snort,
but I'd like to have something more definitive than top/vmstat/sar output.

How can I download previous versions of snort? I've built this monitoring
stack before and did not observe issues of this nature then; I'd like to
fall back to an older version and confirm that it functions properly.

Thanks in advance,

Jesse

Tech details:

Linux sensor-test 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012
x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.3 (Santiago)

PF_RING Version     : 5.2.1 ($Revision: 5041$)
Ring slots          : 8192
Slot version        : 13
Capture TX          : No [RX only]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : No (mode 2)
Total rings         : 2
Total plugins       : 0

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3_rc GRE (Build 35)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 GRE (Build 205)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

$ ./configure --with-libpcap-includes=/usr/
local/include --with-libpcap-libraries=/usr/local/lib
--with-dnet-includes=/usr/local/include
--with-dnet-libraries=/usr/local/lib --disable-ipv6
--disable-active-response --disable-react

DAQ:
It was created by daq configure 0.6.2, which was
generated by GNU Autoconf 2.67.  Invocation command line was

  $ ./configure --with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib


-- 
Jesse Bowling

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!