Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort using tons of memory

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 610 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      markgca
      last edited by

      i have a XG-7100 with 8gb of memory
      been using snort on the two wan interfaces, and after some tweaking everything has been working fine.
      But was reading a tutorial that said i would be better off to enable snort on the internal interfaces rather than the wan interfaces to make it easier to track traffic to a particular internal host. made sense, so i did that. now i noticed my memory is running about 80% or thereabouts all the time.
      i do have 11 internal vlan segments, and enabled snort on each. i dont know much about snort, but perhaps that enabled a new snort instance on each segment? and that alone would explain the memory increase?
      if so no problem, i will just add more memory. just want to make sure something else isnt wrong.
      fyi; cpu usage idles at about 24%, so thats not an issue.

      thanks for any guidance

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @markgca
        last edited by

        @markgca said in Snort using tons of memory:

        i have a XG-7100 with 8gb of memory
        been using snort on the two wan interfaces, and after some tweaking everything has been working fine.
        But was reading a tutorial that said i would be better off to enable snort on the internal interfaces rather than the wan interfaces to make it easier to track traffic to a particular internal host. made sense, so i did that. now i noticed my memory is running about 80% or thereabouts all the time.
        i do have 11 internal vlan segments, and enabled snort on each. i dont know much about snort, but perhaps that enabled a new snort instance on each segment? and that alone would explain the memory increase?
        if so no problem, i will just add more memory. just want to make sure something else isnt wrong.
        fyi; cpu usage idles at about 24%, so thats not an issue.

        thanks for any guidance

        More memory usage is, of course, a natural consequence of adding Snort interfaces. Snort runs an interface in promiscuous mode, so in reality if you put it on an interface (parent interface, essentially), it should see all traffic traversing that interface including all the various VLANs. So you could try just putting a single instance on an interface with multiple defined VLANs and see what you see in the alerts log.

        M 1 Reply Last reply Reply Quote 1
        • M
          markgca @bmeeks
          last edited by

          Thanks for the feedback

          i took a look at the multiple snort interfaces, and they werent using all that much. There were a couple plugin processes that were using a lot, and i thought at least one had a memory leak, because when i rebooted the memory use went down. But after a couple days, same thing.
          so amazon to the rescue; plugged in another 16gb which was dirt cheap, and now it is using about 31% of the 24gb, so all is well. cpu usage was never an issue (about 23% as i write this, i have seen it goes as high as 80% but thats rare and very temporary)

          so im done, i have everything installed i needed (and some plugins i just wanted to play with), and it runs everything im throwing at it, so im happy.

          Lucky i got this version; not sure the less powerful ones would do what i am asking.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.