• Hi, over the days with a uptime of 10 days, 17:05u; i see my memory usage growing.
    Now it has reached already 70%. When it was just installed, the memory usage was about <15%.
    Currently I have activated all default services with PTPP and Snort (with autoblock).
    After restarting the snort service, memory dropped to 64% ram usage.

    What could be wrong and can I fix this?
    (Last week I have ordered a memory upgrade to 512 ram, maximum supported system memory).

    Details about my pfsense-box:
    1.0.1
    built on Sun Oct 29 01:07:16 UTC 2006
    Current memory is 256 mb ram
    swap disk is 512 mb.
    Hard disk several gigabyte.


  • Run top from Diagnostics -> Command -> Execute Shell command -> Command

    Monitor the individual processes memory usage over the course of a few days.

    But a complete wild guess would be Snort.


  • This is the output of top:

    $ top
    last pid: 79664;  load averages:  0.00,  0.02,  0.01  up 12+00:14:04    22:07:48
    28 processes:  2 running, 26 sleeping
    
    Mem: 124M Active, 49M Inact, 37M Wired, 4996K Cache, 34M Buf, 27M Free
    Swap: 512M Total, 512M Free
    
      PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
    40965 root        1  -8    0 20656K 18376K piperd   0:33  1.07% php
    60233 root        1 116   20 10160K  9428K RUN      3:35  0.34% lighttpd
    76679 root        1   8   20  2572K  1924K wait    10:41  0.00% sh
     3231 root        1 -58    0   113M 79564K bpf      6:21  0.00% snort
      297 root        1 -58    0  4124K  1992K bpf      0:43  0.00% tcpdump
      597 _ntp        1  96    0  1256K   940K select   0:18  0.00% ntpd
      174 root        1  96    0  1360K   952K select   0:15  0.00% syslogd
      498 proxy       1   4    0   656K   308K kqread   0:11  0.00% pftpx
      563 dhcpd       1  96    0  2100K  1748K select   0:10  0.00% dhcpd
      418 nobody      1  96    0  1328K   972K select   0:09  0.00% dnsmasq
      600 root        1   8    0  1304K   960K nanslp   0:08  0.00% cron
      393 root        1   4    0 20656K 17540K accept   0:06  0.00% php
      298 root        1  -8    0  1196K   664K piperd   0:04  0.00% logger
      598 root        1  96    0  1296K   944K select   0:03  0.00% ntpd
      250 _dhcp       1  96    0  1388K  1008K select   0:01  0.00% dhclient
    74618 root        1  96    0  1288K   628K select   0:00  0.00% mpd
     3234 root        1   4    0  1212K   892K kqread   0:00  0.00% snort2c
      394 root        1   8    0 13080K  3336K wait     0:00  0.00% php
    
    

  • Snort is using the most memory.


  • I see. But why did not the (total) memory usage dropped back to about 15% when I restarted the snort service earlier?

    Update
    I have reinstalled the snort package, under the expectation to update the package to the latest version as published on the snort.org site news section. Also because as the news topic states:

    _Snort v2.6.1.5 has been released. The software and source code is available at: http://snort.org/dl/

    Snort v2.6.1.5 includes:

    * A new http_post rule keyword used to search for content in normalized HTTP posts
        * A fix for a potential memory leak when generating HTTP Inspection events_

    Although this was a misconception, a pleasant side effect was that the memory usage dropped to 30%!

    Off-topic: the news section writes about the OSSEC Host-based Intrusion Detection System. (Snort is network-based). Is such package available for pfsense? (snort and ossec looks a nice combination for me; is it?)


  • Any HIDS on a firewall isn't going to be as useful as HIDS on actual accessible systems (like servers). Network IDS/IPS is much more important and relevant on a firewall. We may add some sort of HIDS package in the (maybe distant) future though.