Snort memory usage drops by %50



  • Does anyone know why when starting the snort process my memory usage goes up to %69 and then after a few days its down to about %20-30.  Is this normal… shouldnt it stay at %69 ?!
    I'm running it in AC mode so that it uses more memory on purpose.


  • Moderator

    At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".



  • @BBcan177:

    At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".

    Thanks, I prefer AC because I have the pfsense model C2758 and it has 8gb of ram.


  • Moderator

    There are issues with using "AC", even if RAM is available…

    Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.



  • @BBcan177:

    There are issues with using "AC", even if RAM is available…

    Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

    thx for the tip!
    how much ram do you have ?


  • Moderator

    @fantasypoo:

    @BBcan177:

    There are issues with using "AC", even if RAM is available…

    Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

    thx for the tip!
    how much ram do you have ?

    Several different boxes in the range of 3GB, 4GB, 8GB, 32GB…

    Even at 32GB, "AC" was causing issues, plus it takes forever to reload the Snort config when using "AC". It also caused some random Snort crashes with no particular log errors to debug... My 2cents!



  • @fantasypoo:

    @BBcan177:

    There are issues with using "AC", even if RAM is available…

    Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :)  (Me included).  Several posts in the IDS forum.

    thx for the tip!
    how much ram do you have ?

    https://forum.pfsense.org/index.php?topic=75216.msg410701#msg410701
    I read this forum post and the suggestion was more ram.  I have ordered another 8gb ECC ram …hopefully this will be the cure for running it in AC mode.



  • No modes other than AC-BNFA or AC-BNFA-NQ are recommended.  Expect problems with AC mode.  Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

    Bill



  • @bmeeks:

    No modes other than AC-BNFA or AC-BNFA-NQ are recommended.  Expect problems with AC mode.  Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

    Bill

    hmm.. does the same apply to Suricata ?  Default is AC


  • Banned

    AC-BNFA-NQ is not available in Suricata.



  • I will upgrade to 32gb ram over the coming weeks…  I may sound like a raving lunatic but I can't stand for this "AC-BNFA-NQ"



  • @fantasypoo:

    hmm.. does the same apply to Suricata ?  Default is AC

    Suricata is a completely different binary code base.  You can't really compare the two in this area.

    Bill


Log in to reply