Snort memory usage drops by %50

BBcan177

At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".

fantasypoo

@BBcan177:

At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".

Thanks, I prefer AC because I have the pfsense model C2758 and it has 8gb of ram.

BBcan177

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

fantasypoo

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

BBcan177

@fantasypoo:

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

Several different boxes in the range of 3GB, 4GB, 8GB, 32GB…

Even at 32GB, "AC" was causing issues, plus it takes forever to reload the Snort config when using "AC". It also caused some random Snort crashes with no particular log errors to debug... My 2cents!

fantasypoo

@fantasypoo:

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

https://forum.pfsense.org/index.php?topic=75216.msg410701#msg410701
I read this forum post and the suggestion was more ram.  I have ordered another 8gb ECC ram …hopefully this will be the cure for running it in AC mode.

bmeeks

No modes other than AC-BNFA or AC-BNFA-NQ are recommended.  Expect problems with AC mode.  Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

Bill

fantasypoo

@bmeeks:

No modes other than AC-BNFA or AC-BNFA-NQ are recommended.  Expect problems with AC mode.  Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

Bill

hmm.. does the same apply to Suricata ?  Default is AC

doktornotor

AC-BNFA-NQ is not available in Suricata.

fantasypoo

I will upgrade to 32gb ram over the coming weeks…  I may sound like a raving lunatic but I can't stand for this "AC-BNFA-NQ"

bmeeks

@fantasypoo:

hmm.. does the same apply to Suricata ?  Default is AC

Suricata is a completely different binary code base.  You can't really compare the two in this area.

Bill