Snort using tons of memory
-
i have a XG-7100 with 8gb of memory
been using snort on the two wan interfaces, and after some tweaking everything has been working fine.
But was reading a tutorial that said i would be better off to enable snort on the internal interfaces rather than the wan interfaces to make it easier to track traffic to a particular internal host. made sense, so i did that. now i noticed my memory is running about 80% or thereabouts all the time.
i do have 11 internal vlan segments, and enabled snort on each. i dont know much about snort, but perhaps that enabled a new snort instance on each segment? and that alone would explain the memory increase?
if so no problem, i will just add more memory. just want to make sure something else isnt wrong.
fyi; cpu usage idles at about 24%, so thats not an issue.thanks for any guidance
-
@markgca said in Snort using tons of memory:
i have a XG-7100 with 8gb of memory
been using snort on the two wan interfaces, and after some tweaking everything has been working fine.
But was reading a tutorial that said i would be better off to enable snort on the internal interfaces rather than the wan interfaces to make it easier to track traffic to a particular internal host. made sense, so i did that. now i noticed my memory is running about 80% or thereabouts all the time.
i do have 11 internal vlan segments, and enabled snort on each. i dont know much about snort, but perhaps that enabled a new snort instance on each segment? and that alone would explain the memory increase?
if so no problem, i will just add more memory. just want to make sure something else isnt wrong.
fyi; cpu usage idles at about 24%, so thats not an issue.thanks for any guidance
More memory usage is, of course, a natural consequence of adding Snort interfaces. Snort runs an interface in promiscuous mode, so in reality if you put it on an interface (parent interface, essentially), it should see all traffic traversing that interface including all the various VLANs. So you could try just putting a single instance on an interface with multiple defined VLANs and see what you see in the alerts log.
-
Thanks for the feedback
i took a look at the multiple snort interfaces, and they werent using all that much. There were a couple plugin processes that were using a lot, and i thought at least one had a memory leak, because when i rebooted the memory use went down. But after a couple days, same thing.
so amazon to the rescue; plugged in another 16gb which was dirt cheap, and now it is using about 31% of the 24gb, so all is well. cpu usage was never an issue (about 23% as i write this, i have seen it goes as high as 80% but thats rare and very temporary)so im done, i have everything installed i needed (and some plugins i just wanted to play with), and it runs everything im throwing at it, so im happy.
Lucky i got this version; not sure the less powerful ones would do what i am asking.
