Home page logo

snort logo Snort mailing list archives

Re: Snort High Memory Usage
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 01 Jun 2013 03:45:41 -0400

On 5/31/2013 20:00, Joel Esler wrote:
2.9.x takes more memory than 2.8.x. It does much more. Kinda of a bad comparison.

true but i was only posting those to show the difference... not really as a 
comparison of the two versions...


On May 31, 2013, at 7:54 PM, waldo kitty <wkitty42 () windstream net
<mailto:wkitty42 () windstream net>> wrote:

On 5/31/2013 19:27, Josh Bitto wrote:
I'm just doing a top on command line and looking at mem% for each snort pid
that comes up for the sensors.

i thought that was likely the case ;)

what are the numbers under the VIRT and RES columns?

can i assume that you are doing SHIFT-M in top to sort by most memory used?

We had Emerging threats and the original snort rules enabled. Took ET off and
that took the memory down some, but I don't want to sacrifice that if I can
help it.

one box i'm looking at with and only the default VRT rules set with no
rules commented out or added shows

VIRT = 371m RES = 119m

another box with and only the ET set plus some (~15) local.rules with
some of the ET rules disabled from default shows

VIRT = 199m RES = 175m

-----Original Message----- From: waldo kitty
[mailto:wkitty42 () windstream net] Sent: Friday, May 31, 2013 4:20 PM To:
snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort High
Memory Usage

On 5/31/2013 17:46, Josh Bitto wrote:
Currently I’m running 7 snort sensors on my pfsense firewall and each of
them is at 672 mb’s for using memory. Which seems really high. I believe I
read somewhere in documentation that the memory is usually around 200 mb’s.
Can anyone shed some light on this for me?

how many rules do you have enabled?

what tool are you using to view that memory consumption?

what column are those figures listed under in that tool?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]