Snort mailing list archives

Re: [Fwd: snort-2.6rc1 using a lot of memory]

From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 19 Apr 2006 09:30:05 -0400

Nerijus--

As noted in the RELEASE.NOTES, there was a change in the
default pattern matching engine from Wu-Manber to standard
Aho-Corasick which is faster but consumes more memory.

This effectively replaced an implicit config of

config detection: search-method mwm

with

config detection: search-method ac

The Aho-Corasick implementation in snort has a few different
memory models, standard, full, banded, sparse, and sparse
banded.  The sparse and spare-banded ones consume much less
memory... To use them, add a snort.conf line, as desired,
for example.  Wu-Manber is being deprecated in the next
release.

config detection: search-method ac-sparsebands

There is also the lowmem method, which is slow, but uses
very little memory.

Cheers.
-steve

  While running a test instance of snort-2.6rc1 (and the same was with
2.6beta) on Linux, noticed that it is very memory hungry. At the
moment it's 865Mb in resident size with almost all preprocessors
enabled and almost all VRT, community and bleeding rules. Is that
normal and we should expect that 2.6 series will demand that much RAM?
Of course, with this kind of setup one can expect that snort will
consume a bit bigger amount of RAM, but not in such numbers. For
example, 2.4.4 running with the same config (as much as it is
possible, taking into account the differences between 2.4 and 2.6
series) is 125Mb in resident size. That's nearly 7 times less.

  If any of the developers are interested in my config -- just tell me. :)



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Fwd: snort-2.6rc1 using a lot of memory] Steven Sturges (May 10)
- Re: [Fwd: snort-2.6rc1 using a lot of memory] Nerijus Krukauskas (Apr 20)