Snort Memory Setting
-
I would like to know the best setting for memory setting with 1gig of ram installed .
-
ac-bnfa seems to be the best overall.
-
i tried that setting and it crashes snort.
-
I had some of those same issues. Did you manually enable any addtional rules after selecting that memory setting. I noticed if you do this, snort will crash out if you enable to many addtional rules on that setting. You can get by with maybe 50 or 60 addtional rules, but anything much more will kill it.
I have a DELL PowerEdge 2950 with dual quad core processors with 4 gig's of RAM and I can't run any higher of a memory setting than ac-bnfa or LOWMEM.
I bet it starts for about 5 seconds with high proccessing, SWAP usage, and then dies.
And with you running in ac-bnfa with 1 gig of RAM, I am assuming you are using around 50 - 53% of your memory. I am not sure what is going on with the other memory setting, but I am sure something is broken if the system I am using can't use any setting above AC-BNFA.
Matt
-
I second that AC-BNFA is the only usable setting for most systems. (My inner geek would love to see a system the handles AC with moderate traffic) My system has 2GB Ram with 3 interfaces running at this setting @ 23% memory usage with low traffic. It is also wise only to choose the categories that are necessary for that particular interface not all categories need to be checked. Use only what you need otherwise you will be wasting CPU time and memory for nothing.