Possible memory leak?

Snailer

Hi, over the days with a uptime of 10 days, 17:05u; i see my memory usage growing.
Now it has reached already 70%. When it was just installed, the memory usage was about <15%.
Currently I have activated all default services with PTPP and Snort (with autoblock).
After restarting the snort service, memory dropped to 64% ram usage.

What could be wrong and can I fix this?
(Last week I have ordered a memory upgrade to 512 ram, maximum supported system memory).

Details about my pfsense-box:
1.0.1
built on Sun Oct 29 01:07:16 UTC 2006
Current memory is 256 mb ram
swap disk is 512 mb.
Hard disk several gigabyte.

sullrich

Run top from Diagnostics -> Command -> Execute Shell command -> Command

Monitor the individual processes memory usage over the course of a few days.

But a complete wild guess would be Snort.

Snailer

This is the output of top:

$ top
last pid: 79664;  load averages:  0.00,  0.02,  0.01  up 12+00:14:04    22:07:48
28 processes:  2 running, 26 sleeping

Mem: 124M Active, 49M Inact, 37M Wired, 4996K Cache, 34M Buf, 27M Free
Swap: 512M Total, 512M Free

  PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
40965 root        1  -8    0 20656K 18376K piperd   0:33  1.07% php
60233 root        1 116   20 10160K  9428K RUN      3:35  0.34% lighttpd
76679 root        1   8   20  2572K  1924K wait    10:41  0.00% sh
 3231 root        1 -58    0   113M 79564K bpf      6:21  0.00% snort
  297 root        1 -58    0  4124K  1992K bpf      0:43  0.00% tcpdump
  597 _ntp        1  96    0  1256K   940K select   0:18  0.00% ntpd
  174 root        1  96    0  1360K   952K select   0:15  0.00% syslogd
  498 proxy       1   4    0   656K   308K kqread   0:11  0.00% pftpx
  563 dhcpd       1  96    0  2100K  1748K select   0:10  0.00% dhcpd
  418 nobody      1  96    0  1328K   972K select   0:09  0.00% dnsmasq
  600 root        1   8    0  1304K   960K nanslp   0:08  0.00% cron
  393 root        1   4    0 20656K 17540K accept   0:06  0.00% php
  298 root        1  -8    0  1196K   664K piperd   0:04  0.00% logger
  598 root        1  96    0  1296K   944K select   0:03  0.00% ntpd
  250 _dhcp       1  96    0  1388K  1008K select   0:01  0.00% dhclient
74618 root        1  96    0  1288K   628K select   0:00  0.00% mpd
 3234 root        1   4    0  1212K   892K kqread   0:00  0.00% snort2c
  394 root        1   8    0 13080K  3336K wait     0:00  0.00% php

sullrich

Snort is using the most memory.

Snailer

I see. But why did not the (total) memory usage dropped back to about 15% when I restarted the snort service earlier?

Update
I have reinstalled the snort package, under the expectation to update the package to the latest version as published on the snort.org site news section. Also because as the news topic states:

_Snort v2.6.1.5 has been released. The software and source code is available at: http://snort.org/dl/

Snort v2.6.1.5 includes:

* A new http_post rule keyword used to search for content in normalized HTTP posts
    * A fix for a potential memory leak when generating HTTP Inspection events_

Although this was a misconception, a pleasant side effect was that the memory usage dropped to 30%!

Off-topic: the news section writes about the OSSEC Host-based Intrusion Detection System. (Snort is network-based). Is such package available for pfsense? (snort and ossec looks a nice combination for me; is it?)

cmb

Any HIDS on a firewall isn't going to be as useful as HIDS on actual accessible systems (like servers). Network IDS/IPS is much more important and relevant on a firewall. We may add some sort of HIDS package in the (maybe distant) future though.