Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and Memory Usage / Swap Usage Concerns

    Scheduled Pinned Locked Moved
    Hardware
    2
    2
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • denningsrogueD
      denningsrogue
      last edited by

      I picked up a Lenovo m58p at a government surplus equipment sale, installed a second NIC and pfSense and have been using it as a Gateway and Firewall for a few months now.  I have been very happy with it and have begun to experiment as I learn more about pfSense and the available packages, Snort in particular.  I have been tweaking the rules and detection performance settings and though CPU usage remains low, memory usage has increased significantly to the 80-90% percent range and for the first time I have SWAP usage.  I have 4GB of RAM and a 1 TB hard drive with a 8192MB swap partition.  Everything seems to be working well but I am surprised by the memory usage.  Anything to be concerned about?

      Here are the details:

      Version 2.1.2-RELEASE (amd64)
      built on Thu Apr 10 05:42:13 EDT 2014
      FreeBSD 8.3-RELEASE-p15

      You are on the latest version.
      Platform pfSense

      CPU Type Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz
      2 CPUs: 1 package(s) x 2 core(s)

      Uptime 20 Hours 43 Minutes 13 Seconds

      Current date/time
      Sun Apr 13 17:17:52
      DNS server(s)

      Last config change Sun Apr 13 13:34:21

      State table size
      0% (823/380000)

      MBUF Usage
      10% (2630/25600)

      Temperature   25.0°C

      Load average
      0.00, 0.00, 0.00

      CPU   
      1%

      Memory usage  
      89% of 3808 MB

      SWAP usage  
      4% of 8192 MB

      Disk usage  
      0% of 894G

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Snort eats memory like nothing else especially if you don't take steps to prevent it from doing so. In that respect your increased memory usage is completely normal. However you do not, ever, want to be swapping. It will bog down the performance dramatically. If you're not seeing that then it's likely the swap usage was not a continuous thing but it shows you are the edge of your ram requirement. You should probably either take steps to reduce Snorts footprint or add more ram.

        @http://mikelococo.com/2011/08/snort-capacity-planning/:

        RAM
        Each snort process can occupy 2Gbytes-5Gbytes of ram. How much depends on:

        Traffic – The more traffic a sensor handles, the more state it must track. Stream5 can use anywhere from a few Mbytes to 1Gbyte to track TCP state.
        Pattern Matcher – Some pattern matchers are very CPU efficient, and others are very memory efficient. The ac-nq matcher is the most cpu-efficient, reducing CPU usage by up to 30% over ac-split, but adding over 1Gbyte of ram usage per process.  The ac-bnfa matcher is quite memory efficient, reducing ram usage by several hundred Mbytes per process, but increasing CPU usage by up to 20%.
        Number of rules – The more rules that are active, the more memory the pattern matcher uses.
        Preprocessor configs – The stream5 memcap is one crucial factor for controlling memory usage, but all preprocessors occupy memory and many can be configured to be conservative or resource-hungry.
        A Snort process inspecting 400Mbits/sec of traffic, with 7000 active rules, using the ac-nq pattern matcher (which is memory-hungry), and a stream5 memcap of 1Gbyte uses about 4.5Gbytes of RAM. With a smaller ruleset and the ac-bnfa pattern matcher (which is memory-efficient), I’ve observed snort processes use about 2.5Gbytes of RAM.

        Note that the operating system and other applications will need some RAM as well, and if you don’t have unusual needs 2G is generally plenty. A detailed discussion of RAM sizing for the database is beyond the scope of this post, but generally for a multi-snort deployment it’s worth putting the database on a separate server that has 1-4Gbytes of RAM.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post