• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort eating up swap

Scheduled Pinned Locked Moved 1.2.3-PRERELEASE-TESTING snapshots - RETIRED
7 Posts 4 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    iggdawg
    last edited by May 18, 2009, 4:53 PM

    I have pfsense 1.2.3 running on a soekris net5501.  I've been having issues trying to get snort to work.  I know the hardware is fine, I ran snort under OpenBSD, running it on the LAN and WAN interfaces at once with all rules active.  It worked great, never complained much.  The only pain was filtering false positives =P.

    Under pfsense when I try to run it, it slowly eats up all my memory, then all my swap, finally causing snort to exit out.  Is there some fundamental setting I'm missing?  I'm running it more or less default on the WAN interface only, with about half the rules checked.  It takes a while to exhaust memory and swap, but eventually does it.  I have 512 megs of ram on the system, and 2 gigs of swap space.

    1 Reply Last reply Reply Quote 0
    • C
      Cry Havok
      last edited by May 18, 2009, 5:29 PM

      What version of snort, what configuration, what rules?  When you say "all rules" are you referring to the stock rules, what?

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by May 19, 2009, 1:32 AM

        I was just looking and and I am using 59% of 10GB of disk space that I have allocated to Pf-Sense.  I thought that that was interesting based on that the post.

        I have the following services and have about 5 external rules and 30 IPSEC rules:
        AutoConfigBackup  Services  1.15
        Avahi  Network Management  0.6.25
        Dashboard  System  0.7.6.2
        HAVP antivirus  Network Management  0.88_05
        Notes  Status  0.2.4
        nmap  Security  4.76
        phpSysInfo  System  2.5.4
        vnstat  Network Management  1.6.3

        RC

        1 Reply Last reply Reply Quote 0
        • C
          Cry Havok
          last edited by May 19, 2009, 6:05 AM

          Ok, the firewall rules have nothing to do with Snort rules.  What Snort rules do you have enabled.

          1 Reply Last reply Reply Quote 0
          • C
            ColdFusion
            last edited by May 19, 2009, 10:34 AM

            512 Ram is cutting it close plus you're running other services as well. What is your performance setting in Snort?? ac-bnfa works the best. Low mem consumption, faster loading, and it works. I have 1 Pf box with 1 gig ram and Snort,Squid, Squidguard,havp,nut running for over 40 days with just 56-60% ram used and swap never used. I only have about 7-8 rule sets enabled in Snort at this time though.

            1 Reply Last reply Reply Quote 0
            • I
              iggdawg
              last edited by May 21, 2009, 12:31 PM

              I believe I was running ac-sparsebands.  I switch to ac-bnfa and it resolved the issue.  I think I was running out of RAM.  even using ac-bnfa each instance still eats up a surprising amount of memory.  I suppose I wasn't expecting that since snort used to use a lot less for me under openbsd.

              1 Reply Last reply Reply Quote 0
              • C
                ColdFusion
                last edited by May 22, 2009, 11:46 AM

                Over time it does increase, but then stops at a certain point. I've gone 60+ days with it running ok. The thing is once you update the rules periodically anyway, Snort has to reload the rules and memory will decrease some anyway.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received