Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort is using a lot of memory

From: Anna <Anna () sonru com>
Date: Fri, 29 Sep 2017 14:15:38 +0100
I have only one snort.conf, which is located in /etc/snort

This is my command for starting snort —> ExecStart=/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

The problem started 15th of September when we upgraded Centos to 7.4.1708, server was restarted and we started getting 
notifications regarding Snort. Before that Snort was running few months without issues,

At the moment it is using 29-30% of Memory, I was expecting this behaviour when Snort started and run, but after few 
days it should stabilise (that happened when I installed it in June), I have two testing environments that Snort was 
running without issue, now both of the servers are using memory a lot

This is the chunk of snort.conf for stream5_global (we have a lot of those notifications from Snort)


preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
   track_icmp no, \
   memcap 500000000, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

Any steps to rectify this, will be great

Let me know what more, should I provide to diagnose the problem

Thank you

Anna


On 19 Sep 2017, at 17:55, Joel Esler (jesler) <jesler () cisco com> wrote:

Are you sure that you are referring to the correct snort.conf?

We need more information.

--
Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com>







On Sep 19, 2017, at 9:25 AM, Anna <Anna () sonru com <mailto:Anna () sonru com>> wrote:



Hi,

Snort: 2.9.9.0
OS: Centos 7

Recently Snort started to use a lot of memory, and it is constantly on 29-30% of usage, it did not happen before 
(even when Snort was using more memory at the beginning - it went down after an hour or two), the only change to the 
server was a Centos upgrade

I put the memcap in the snort.conf —> stream5: global and restarted snort, but the memory usage did not go down. It 
is as Snort is ignoring the config

Any help with this?


<Screen Shot 2017-09-19 at 14.15.49.png>

Thank you

ANNA
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org <mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!





_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: