Snort memory usage drops by %50

fantasypoo · Nov 14, 2015, 1:16 PM

Does anyone know why when starting the snort process my memory usage goes up to %69 and then after a few days its down to about %20-30. Is this normal… shouldnt it stay at %69 ?!
I'm running it in AC mode so that it uses more memory on purpose.

BBcan177 · Nov 14, 2015, 1:38 PM

At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".

fantasypoo · Nov 14, 2015, 3:11 PM

@BBcan177:

At startup, Snort will use more memory as it is configuring and loading all of its settings. Recommend also to use "AC-BNFA-NQ".

Thanks, I prefer AC because I have the pfsense model C2758 and it has 8gb of ram.

BBcan177 · Nov 14, 2015, 3:13 PM

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :) (Me included). Several posts in the IDS forum.

fantasypoo · Nov 14, 2015, 3:16 PM

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :) (Me included). Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

BBcan177 · Nov 14, 2015, 3:21 PM

@fantasypoo:

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :) (Me included). Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

Several different boxes in the range of 3GB, 4GB, 8GB, 32GB…

Even at 32GB, "AC" was causing issues, plus it takes forever to reload the Snort config when using "AC". It also caused some random Snort crashes with no particular log errors to debug... My 2cents!

fantasypoo · Nov 14, 2015, 3:24 PM

@fantasypoo:

@BBcan177:

There are issues with using "AC", even if RAM is available…

Several people have had issues and dropped down to "AC-BNFA-NQ" and never looked back :) (Me included). Several posts in the IDS forum.

thx for the tip!
how much ram do you have ?

https://forum.pfsense.org/index.php?topic=75216.msg410701#msg410701
I read this forum post and the suggestion was more ram. I have ordered another 8gb ECC ram …hopefully this will be the cure for running it in AC mode.

bmeeks · Nov 15, 2015, 2:04 AM

No modes other than AC-BNFA or AC-BNFA-NQ are recommended. Expect problems with AC mode. Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

Bill

fantasypoo · Nov 15, 2015, 3:30 AM

@bmeeks:

No modes other than AC-BNFA or AC-BNFA-NQ are recommended. Expect problems with AC mode. Don't know why, but it just seems to gobble up RAM and does not really boost performance much – certainly not enough of a boost to justify the random issues it causes.

Bill

hmm.. does the same apply to Suricata ? Default is AC

doktornotor · Nov 15, 2015, 8:37 AM

AC-BNFA-NQ is not available in Suricata.

fantasypoo · Nov 15, 2015, 2:04 PM

I will upgrade to 32gb ram over the coming weeks… I may sound like a raving lunatic but I can't stand for this "AC-BNFA-NQ"

bmeeks · Nov 16, 2015, 1:21 PM

@fantasypoo:

hmm.. does the same apply to Suricata ? Default is AC

Suricata is a completely different binary code base. You can't really compare the two in this area.

Bill