Snort eating up swap

  • I have pfsense 1.2.3 running on a soekris net5501.  I've been having issues trying to get snort to work.  I know the hardware is fine, I ran snort under OpenBSD, running it on the LAN and WAN interfaces at once with all rules active.  It worked great, never complained much.  The only pain was filtering false positives =P.

    Under pfsense when I try to run it, it slowly eats up all my memory, then all my swap, finally causing snort to exit out.  Is there some fundamental setting I'm missing?  I'm running it more or less default on the WAN interface only, with about half the rules checked.  It takes a while to exhaust memory and swap, but eventually does it.  I have 512 megs of ram on the system, and 2 gigs of swap space.

  • What version of snort, what configuration, what rules?  When you say "all rules" are you referring to the stock rules, what?

  • I was just looking and and I am using 59% of 10GB of disk space that I have allocated to Pf-Sense.  I thought that that was interesting based on that the post.

    I have the following services and have about 5 external rules and 30 IPSEC rules:
    AutoConfigBackup  Services  1.15
    Avahi  Network Management  0.6.25
    Dashboard  System
    HAVP antivirus  Network Management  0.88_05
    Notes  Status  0.2.4
    nmap  Security  4.76
    phpSysInfo  System  2.5.4
    vnstat  Network Management  1.6.3


  • Ok, the firewall rules have nothing to do with Snort rules.  What Snort rules do you have enabled.

  • 512 Ram is cutting it close plus you're running other services as well. What is your performance setting in Snort?? ac-bnfa works the best. Low mem consumption, faster loading, and it works. I have 1 Pf box with 1 gig ram and Snort,Squid, Squidguard,havp,nut running for over 40 days with just 56-60% ram used and swap never used. I only have about 7-8 rule sets enabled in Snort at this time though.

  • I believe I was running ac-sparsebands.  I switch to ac-bnfa and it resolved the issue.  I think I was running out of RAM.  even using ac-bnfa each instance still eats up a surprising amount of memory.  I suppose I wasn't expecting that since snort used to use a lot less for me under openbsd.

  • Over time it does increase, but then stops at a certain point. I've gone 60+ days with it running ok. The thing is once you update the rules periodically anyway, Snort has to reload the rules and memory will decrease some anyway.

Log in to reply