"Strange"? Memory Pattern Since Snort Migration


  • Hello all,

    I was using Suricata, but switched to Snort for the low cost managed rules, and fewer false positives to deal with. I've liked it much better than Suricata.

    One thing, though... I've noticed that the memory use was always consistent under Suricata, but with Snort, it has developed a pattern of usage which follows the automatic subscription download. See attached image.

    I'm not suffering any issues, but was wondering if anyone had any idea what Snort does differently that causes the erratic usage? Suricata updated rules frequently as well, but the usage changed gradually, rather than this choppy memory management.

    Snort.png

    Thanks for any insight you might have...
    Steve


  • Snort will use more RAM temporarily during the restart sequence that happens at the end of a rules update task. When the rules are downloaded and extracted, all running Snort processes are restarted so they will pick up and start using the updated rules. That restart process is the memory uptick you are seeing. The amount of memory used is a function of the number of the active rules you have configured.


  • @bmeeks Thanks. I understand the update/swap thing is what's doing it. It just seemed "smoother" under Suricata. It's not a problem, just curious as to why the update memory usage is so dramatically different between the two.

    Have a great day...


  • Could it be that suricata doesn't load some of the snort rule's?


  • @Impatient said in "Strange"? Memory Pattern Since Snort Migration:

    Could it be that suricata doesn't load some of the snort rule's?

    That could be a portion of the difference, but it's mainly just in how the internal code of the binary handles setting things up as it reads in the configuration and acts upon it. Snort and Suricata are completely different animals in terms of their internal coding.