Snort Memory Consumption



  • I'm having an issue where my snort sensors are using over 700 mb of memory each. If I only had one sensor that would not really matter, but I have 7! We've had to tweak the amount of rules and Emerging threats that are used and frankly I don't want to have to sacrifice not using all or most of the rule sets.

    Is this the norm? Does anyone have any suggestions on tweaking the memory usage? In the gui the selected option for the lowest memory consumption for best performance is already selected (I think it was the default)

    I believe I read somewhere that each sensor by default should only use 200 MB each.

    Bitto



  • @ESWBitto:

    I'm having an issue where my snort sensors are using over 700 mb of memory each. If I only had one sensor that would not really matter, but I have 7! We've had to tweak the amount of rules and Emerging threats that are used and frankly I don't want to have to sacrifice not using all or most of the rule sets.

    Is this the norm? Does anyone have any suggestions on tweaking the memory usage? In the gui the selected option for the lowest memory consumption for best performance is already selected (I think it was the default)

    I believe I read somewhere that each sensor by default should only use 200 MB each.

    Bitto

    Snort with a lot of enabled rules and a lot of connections will eat memory.  There are settings that can be tweaked to improve this a bit, but nothing beats having at least 4 GB of RAM per sensor.  RAM is pretty cheap these days anyway.

    Also, there is no point in trying to run all the rules (both ET and Snort VRT).  I'm sure there are partisans on both sides of the issue who will swear one set is better than the other (ET vs. VRT), but you might consider choosing Snort VRT with the IPS-Connectivity policy to start with.  That will catch most stuff and not give a lot of false positives.  As you gain experience with Snort and its behavior with your specific network traffic, you can bump up to the IPS-Balanced or even IPS-Security policies.  Just be aware that these are likely to start giving false positives and need tuning.

    Here is a link about hardware sizing for Snort:  http://mikelococo.com/2011/08/snort-capacity-planning/

    Bill