Snort eating up swap

iggdawg · May 18, 2009, 4:53 PM

I have pfsense 1.2.3 running on a soekris net5501. I've been having issues trying to get snort to work. I know the hardware is fine, I ran snort under OpenBSD, running it on the LAN and WAN interfaces at once with all rules active. It worked great, never complained much. The only pain was filtering false positives =P.

Under pfsense when I try to run it, it slowly eats up all my memory, then all my swap, finally causing snort to exit out. Is there some fundamental setting I'm missing? I'm running it more or less default on the WAN interface only, with about half the rules checked. It takes a while to exhaust memory and swap, but eventually does it. I have 512 megs of ram on the system, and 2 gigs of swap space.

Cry Havok · May 18, 2009, 5:29 PM

What version of snort, what configuration, what rules? When you say "all rules" are you referring to the stock rules, what?

fastcon68 · May 19, 2009, 1:32 AM

I was just looking and and I am using 59% of 10GB of disk space that I have allocated to Pf-Sense. I thought that that was interesting based on that the post.

I have the following services and have about 5 external rules and 30 IPSEC rules:
AutoConfigBackup Services 1.15
Avahi Network Management 0.6.25
Dashboard System 0.7.6.2
HAVP antivirus Network Management 0.88_05
Notes Status 0.2.4
nmap Security 4.76
phpSysInfo System 2.5.4
vnstat Network Management 1.6.3

RC

Cry Havok · May 19, 2009, 6:05 AM

Ok, the firewall rules have nothing to do with Snort rules. What Snort rules do you have enabled.

ColdFusion · May 19, 2009, 10:34 AM

512 Ram is cutting it close plus you're running other services as well. What is your performance setting in Snort?? ac-bnfa works the best. Low mem consumption, faster loading, and it works. I have 1 Pf box with 1 gig ram and Snort,Squid, Squidguard,havp,nut running for over 40 days with just 56-60% ram used and swap never used. I only have about 7-8 rule sets enabled in Snort at this time though.

iggdawg · May 21, 2009, 12:31 PM

I believe I was running ac-sparsebands. I switch to ac-bnfa and it resolved the issue. I think I was running out of RAM. even using ac-bnfa each instance still eats up a surprising amount of memory. I suppose I wasn't expecting that since snort used to use a lot less for me under openbsd.

ColdFusion · May 22, 2009, 11:46 AM

Over time it does increase, but then stops at a certain point. I've gone 60+ days with it running ok. The thing is once you update the rules periodically anyway, Snort has to reload the rules and memory will decrease some anyway.