Possible memory leak?
-
Hi, over the days with a uptime of 10 days, 17:05u; i see my memory usage growing.
Now it has reached already 70%. When it was just installed, the memory usage was about <15%.
Currently I have activated all default services with PTPP and Snort (with autoblock).
After restarting the snort service, memory dropped to 64% ram usage.What could be wrong and can I fix this?
(Last week I have ordered a memory upgrade to 512 ram, maximum supported system memory).Details about my pfsense-box:
1.0.1
built on Sun Oct 29 01:07:16 UTC 2006
Current memory is 256 mb ram
swap disk is 512 mb.
Hard disk several gigabyte. -
Run top from Diagnostics -> Command -> Execute Shell command -> Command
Monitor the individual processes memory usage over the course of a few days.
But a complete wild guess would be Snort.
-
This is the output of top:
$ top last pid: 79664; load averages: 0.00, 0.02, 0.01 up 12+00:14:04 22:07:48 28 processes: 2 running, 26 sleeping Mem: 124M Active, 49M Inact, 37M Wired, 4996K Cache, 34M Buf, 27M Free Swap: 512M Total, 512M Free PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 40965 root 1 -8 0 20656K 18376K piperd 0:33 1.07% php 60233 root 1 116 20 10160K 9428K RUN 3:35 0.34% lighttpd 76679 root 1 8 20 2572K 1924K wait 10:41 0.00% sh 3231 root 1 -58 0 113M 79564K bpf 6:21 0.00% snort 297 root 1 -58 0 4124K 1992K bpf 0:43 0.00% tcpdump 597 _ntp 1 96 0 1256K 940K select 0:18 0.00% ntpd 174 root 1 96 0 1360K 952K select 0:15 0.00% syslogd 498 proxy 1 4 0 656K 308K kqread 0:11 0.00% pftpx 563 dhcpd 1 96 0 2100K 1748K select 0:10 0.00% dhcpd 418 nobody 1 96 0 1328K 972K select 0:09 0.00% dnsmasq 600 root 1 8 0 1304K 960K nanslp 0:08 0.00% cron 393 root 1 4 0 20656K 17540K accept 0:06 0.00% php 298 root 1 -8 0 1196K 664K piperd 0:04 0.00% logger 598 root 1 96 0 1296K 944K select 0:03 0.00% ntpd 250 _dhcp 1 96 0 1388K 1008K select 0:01 0.00% dhclient 74618 root 1 96 0 1288K 628K select 0:00 0.00% mpd 3234 root 1 4 0 1212K 892K kqread 0:00 0.00% snort2c 394 root 1 8 0 13080K 3336K wait 0:00 0.00% php
-
Snort is using the most memory.
-
I see. But why did not the (total) memory usage dropped back to about 15% when I restarted the snort service earlier?
Update
I have reinstalled the snort package, under the expectation to update the package to the latest version as published on the snort.org site news section. Also because as the news topic states:_Snort v2.6.1.5 has been released. The software and source code is available at: http://snort.org/dl/
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events_Although this was a misconception, a pleasant side effect was that the memory usage dropped to 30%!
Off-topic: the news section writes about the OSSEC Host-based Intrusion Detection System. (Snort is network-based). Is such package available for pfsense? (snort and ossec looks a nice combination for me; is it?)
-
Any HIDS on a firewall isn't going to be as useful as HIDS on actual accessible systems (like servers). Network IDS/IPS is much more important and relevant on a firewall. We may add some sort of HIDS package in the (maybe distant) future though.