During installation: how is size of swap partition determined?

rcfa

I sort-of have snort working, which means it's simply running and spewing out messages, but it's not blocking, etc.
So running on three out of four interfaces, it uses up most of the system's resources: swap is at 89% and memory at 87%.

Is Snort such a hog, or am I doing something stupid?

Also, seeing that a 60GB drive is nothing big these days (and even as SSD it only cost me $50), wouldn't it be meaningful to make a somewhat bigger swap partition or sizing it as a percentage of available disk space?

Also, is there a way to increase the swap space without reinstalling the whole thing?

cmb

Swap uses FreeBSD's default, 2xRAM. If you're touching swap at all, you have issues. When your system memory goes from RAM speed to disk speed, you're going to have performance problems. With certain config options, Snort will use a ton of RAM. You don't need more swap, you need to fix whatever is chewing up all your RAM. You have to reinstall if you want more swap, but don't bother.

rcfa

@cmb:

Swap uses FreeBSD's default, 2xRAM. If you're touching swap at all, you have issues. When your system memory goes from RAM speed to disk speed, you're going to have performance problems.

At least I have a reasonably fast SSD, but yes, I'd rather not hit swap, particularly since I have 4GB RAM, which one might think ought to be sufficient…

@cmb:

With certain config options, Snort will use a ton of RAM. You don't need more swap, you need to fix whatever is chewing up all your RAM. You have to reinstall if you want more swap, but don't bother.

Any specific options to look out for? I don't think I enabled anything in particular, but the rule sets it downloada seem to be rather large…

jimp

You can try setting the snort instance to 'lowmem' instead of the default. Otherwise it doesn't matter how big the ruleset you downloaded it, it's about how many of those categories you have enabled. The more categories you have enabled, the more memory (and CPU) it will use.

toomeek

@jimp:

You can try setting the snort instance to 'lowmem' instead of the default. Otherwise it doesn't matter how big the ruleset you downloaded it, it's about how many of those categories you have enabled. The more categories you have enabled, the more memory (and CPU) it will use.

Well, good to know. I almost killed my box and I had to disable SNORT.

novacoresystems

Yeah, snort has a bunch of different optimization settings for memory/CPU usage. I've run into this problem as well and had to change my settings. I have a business I deployed it in with 100+ users and snort on the WAN interface. After a day or two it's up to 90% usage with a good amount of swap being used. Snort does seem to be a bit of a memory hog, but I found that optimizing the firewall algorithm to aggressive and playing with how many states pfsense can have etc in the advanced settings can help as well.. I guess it depends on your environment/traffic load