Snort Consuming All Memory
-
I have finally determined the cause of this issue.
The server runs fine disabling the feature "Snort Interfaces -> Edit -> RTVLA Preprocs -> HTTP Inspect -> Edit -> Inspect gzip".
Any suggestions so I can re-enable this option?
Thanks!
AndreThere is a parameter associated with this setting that controls the maximum amount of memory it should consume when inspecting gzip streams. The parameter defaults to 838860 bytes and is found under the HTTP_INSPECT preprocess section of the PREPROCESSORS tab. What value is yours set to? Is yours changed from the default, and if so, is the value set to something considerably ess than the maximum memory in the firewall?
Bill
-
Its default - 838860
-
Its default - 838860
Well then, I'm officially stumped as to the cause. That parameter should limit the total amount of memory consumed by the HTTP_INSPECT preprocessor when it unzips and attempts to analyze a gzip file. If it runs up against that limit, it should log a warning message and just forget further unzipping of that file stream. It definitely should not keep gobbling up memory.
Bill
-
Should I message the developers mail list? For me its clear we have a bug on this package.
-
Should I message the developers mail list? For me its clear we have a bug on this package.
You can, but if you mention "_package on pfSens_e" or "pfSense" anywhere in your report they will just send you right back here as they will assume somehow pfSense is to blame. The Snort package on pfSense uses the same Snort binary as is used on any other Linux/FreeBSD machine. So just tell them you think you have a memory leak issue with Snort using the HTTP_INSPECT preprocessor with gzip encoding enabled and don't mention the platform you are running on unless they ask. If they ask, just say "FreeBSD 11" and don't mention pfSense.
I'm not trying to be coy and hide information, but just pointing out that the default response will likely be to send you right back to the pfSense forums if you mention pfSense in your bug report. Your issue is not with the pfSense package per se, it is potentially with the Snort binary, and that binary is the same as any other FreeBSD user would be using without pfSense in the mix.
Bill