Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Strange"? Memory Pattern Since Snort Migration

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 531 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • House Of CardsH
      House Of Cards
      last edited by

      Hello all,

      I was using Suricata, but switched to Snort for the low cost managed rules, and fewer false positives to deal with. I've liked it much better than Suricata.

      One thing, though... I've noticed that the memory use was always consistent under Suricata, but with Snort, it has developed a pattern of usage which follows the automatic subscription download. See attached image.

      I'm not suffering any issues, but was wondering if anyone had any idea what Snort does differently that causes the erratic usage? Suricata updated rules frequently as well, but the usage changed gradually, rather than this choppy memory management.

      Snort.png

      Thanks for any insight you might have...
      Steve

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Snort will use more RAM temporarily during the restart sequence that happens at the end of a rules update task. When the rules are downloaded and extracted, all running Snort processes are restarted so they will pick up and start using the updated rules. That restart process is the memory uptick you are seeing. The amount of memory used is a function of the number of the active rules you have configured.

        House Of CardsH 1 Reply Last reply Reply Quote 0
        • House Of CardsH
          House Of Cards @bmeeks
          last edited by

          @bmeeks Thanks. I understand the update/swap thing is what's doing it. It just seemed "smoother" under Suricata. It's not a problem, just curious as to why the update memory usage is so dramatically different between the two.

          Have a great day...

          1 Reply Last reply Reply Quote 0
          • I
            Impatient
            last edited by

            Could it be that suricata doesn't load some of the snort rule's?

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @Impatient
              last edited by

              @Impatient said in "Strange"? Memory Pattern Since Snort Migration:

              Could it be that suricata doesn't load some of the snort rule's?

              That could be a portion of the difference, but it's mainly just in how the internal code of the binary handles setting things up as it reads in the configuration and acts upon it. Snort and Suricata are completely different animals in terms of their internal coding.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.