Re: Snort 2.9.1 memory usage

[Sudarshan Raghavan <sudarshan.t.raghavan () gmail com>]

Russ/Joel,

Reducing max_tcp and max_udp brought down memory usage significantly.
Thanks a ton for the help.

Regards,
Sudarshan

On Tue, Jan 31, 2012 at 10:55 PM, Russ Combs <rcombs () sourcefire com> wrote:
> You should also look at the various preprocessor memcaps and stream5's
> max_tcp, max_udp, and max_ip.
>
> On Tue, Jan 31, 2012 at 12:20 PM, Joel Esler <jesler () sourcefire com> wrote:
> > You don't want to disable PAF.
> >
> > The daq module shouldn't make a difference.
> >
> > You can try the lowmem search method.  Or ac-bnfa.
> >
> > http://manual.snort.org/node16.html#SECTION00313000000000000000
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> > On Jan 31, 2012, at 12:16 PM, Sudarshan Raghavan wrote:
> >
> > > I tried disabling PAF without any luck. I assume from your email that
> > > increased memory usage is expected. I have tried both ipq and nfq daq
> > > modules and I don't see any difference. I was hoping there would be a
> > > build or snort.conf option to control memory usage. The jump from
> > > 2.8.5 (<50M) to 2.9.1.2 (>500M) seems rather steep.
> > >
> > > Regards,
> > > Sudarshan
> > >
> > > On Tue, Jan 31, 2012 at 10:00 PM, Joel Esler <jesler () sourcefire com>
> > > wrote:
> > > > It's not surprising that memory usage has went up. There are a lot more
> > > > features in Snort now that have been added in the past in the past two
> > > > years.
> > > >
> > > > Namely of which is PAF.
> > > >
> > > > http://blog.snort.org/2011/09/what-is-paf.html
> > > >
> > > >
> > > > --
> > > > Joel Esler
> > > > Senior Research Engineer, VRT
> > > > OpenSource Community Manager
> > > > Sourcefire
> > > >
> > > > On Jan 31, 2012, at 11:22 AM, Sudarshan Raghavan
> > > > <sudarshan.t.raghavan () gmail com> wrote:
> > > >
> > > > I tried sending the configuration file but it looks like that email
> > > > bounced.
> > > > Are there any specific parts of the configuration that you would like
> > > > to
> > > > look at?
> > > >
> > > > Regards,
> > > > Sudarshan
> > > >
> > > > On 31-Jan-2012 7:33 PM, "Sudarshan Raghavan"
> > > > <sudarshan.t.raghavan () gmail com> wrote:
> > > > > Yes, I did. I can post the configuration file here if that would help.
> > > > >
> > > > > Regards,
> > > > > Sudarshan
> > > > >
> > > > > On 31-Jan-2012 7:23 PM, "Joel Esler" <jesler () sourcefire com> wrote:
> > > > > > Did you modify your configuration file during the upgrade?
> > > > > >
> > > > > > --
> > > > > > Joel Esler
> > > > > > Senior Research Engineer, VRT
> > > > > > OpenSource Community Manager
> > > > > > Sourcefire
> > > > > >
> > > > > > On Jan 31, 2012, at 5:07 AM, Sudarshan Raghavan
> > > > > > <sudarshan.t.raghavan () gmail com> wrote:
> > > > > >
> > > > > > > Please let me know if you need more information. I have also tried
> > > > > > > running snort 2.9.1.2 with the set of rules used with snort 2.8.5
> > > > > > > and
> > > > > > > can still see that memory usage is quite high. Can something be done
> > > > > > > when snort is being built to fix this? We need to run snort on
> > > > > > > machines that have only 1G of RAM and the current memory usage is
> > > > > > > too
> > > > > > > high for it.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Sudarshan
> > > > > > >
> > > > > > > On Tue, Jan 31, 2012 at 1:11 PM, Sudarshan Raghavan
> > > > > > > <sudarshan.t.raghavan () gmail com> wrote:
> > > > > > > > Here is a better version of the question.
> > > > > > > >
> > > > > > > > Version of Snort: Version 2.9.1.2 IPv6 GRE (Build 84) libpcap:
> > > > > > > > 0.8.3,
> > > > > > > > pcre: 7.0 18-Dec-2006, zlib: 1.2.3
> > > > > > > > Linux Kernel: 2.6.37.3 (32 bit)
> > > > > > > >
> > > > > > > > The problem seen is that the new version of snort uses upwards of
> > > > > > > > 512M
> > > > > > > > of memory when it starts. This is even before any traffic is being
> > > > > > > > sent through it.
> > > > > > > >
> > > > > > > > 3806 root      30  10  562m 132m 2060 S    0  3.3   0:05.91 snort
> > > > > > > >
> > > > > > > > The 2.8.5 snort version that we had was using less than 50M of
> > > > > > > > virtual
> > > > > > > > memory when it starts. I have tried bnfa-nq and lowmem-nq without
> > > > > > > > any
> > > > > > > > luck. I have tried to start the new snort with just the 1 rule file
> > > > > > > > with about 10 rules in it without any big improvement. In the last
> > > > > > > > case memory usage did go down but was still greater than 450M. Is
> > > > > > > > this
> > > > > > > > the expected behaviour with snort 2.9?
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Sudarshan
> > > > > > > >
> > > > > > > > On Mon, Jan 30, 2012 at 7:30 PM, Sudarshan Raghavan
> > > > > > > > <sudarshan.t.raghavan () gmail com> wrote:
> > > > > > > > > We are upgrading our snort version from 2.8.5 to 2.9.1 and it
> > > > > > > > > looks
> > > > > > > > > like
> > > > > > > > > memory usage has gone up by an order of 10. I am currently
> > > > > > > > > debugging
> > > > > > > > > and
> > > > > > > > > wanted to check if there is something obvious that I am missing.
> > > > > > > > > We
> > > > > > > > > have
> > > > > > > > > IPv6 turned on. Please let me know if you need more information.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Sudarshan
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------------------------------------------------------
> > > > > > > Keep Your Developer Skills Current with LearnDevNow!
> > > > > > > The most comprehensive online learning library for Microsoft
> > > > > > > developers
> > > > > > > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
> > > > > > > MVC3,
> > > > > > > Metro Style Apps, more. Free future releases when you subscribe now!
> > > > > > > http://p.sf.net/sfu/learndevnow-d2d
> > > > > > > _______________________________________________
> > > > > > > Snort-users mailing list
> > > > > > > Snort-users () lists sourceforge net
> > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > Snort-users list archive:
> > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > >
> > > > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > > > Snort news!
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!