[7.460][BUG][FIXED] High Memory Usage of snort

Just installed the new package and noticed that my memory usage is pretty high. I think the problem is snort. If you look at the rules that are available compared to the ones that are enabled, its almost the same number. There were a lot of rules that were disabled before.

Memory is 896mb ( I am a cheap a$$) and it is a dual processor machine with no load and only 3 users.

Parents

0 Cath over 15 years ago

Certainly is a lot of rules to run up, my memory usage was quite a bit less so I started playing around with the number of rules as well and difference between 5506 patterns and 7900 only looks to be about 1% memory difference on my system running with 1GB.

On the other hand playing with the web security and turning on IM/P2P and AV scanners changing from single to dual scan increased the amount used by 7%.

With all this on I'm sitting at about 58% usage with very little traffic going through the system.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Billybob over 15 years ago in reply to Cath

I think the difference is coming in with the number of cpu's (dual core etc). If you look at the release notes, they mentioned...

Major New Things
Intrusion Protection Performance
*Uses new version of the IPS engine
*Scales massively when used with Multi-Core CPU/Appliances

I had talked about this previously when 7.45 was first released. Snort runs 2 instances when running on dual proc/core machine; therefore twice the memory usage.
- top.JPG
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Billybob over 15 years ago in reply to Cath

I think the difference is coming in with the number of cpu's (dual core etc). If you look at the release notes, they mentioned...

Major New Things
Intrusion Protection Performance
*Uses new version of the IPS engine
*Scales massively when used with Multi-Core CPU/Appliances

I had talked about this previously when 7.45 was first released. Snort runs 2 instances when running on dual proc/core machine; therefore twice the memory usage.
- top.JPG
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Cath over 15 years ago in reply to Billybob

Ah, that would make sense for the multiproc, I'm only running on a single cpu system.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to Billybob

I had talked about this previously when 7.45 was first released. Snort runs 2 instances when running on dual proc/core machine; therefore twice the memory usage.

So if I have 1CPU with HyperThreading, how many Snorts do I get?

On 7.402, Snort uses between 5% and 60% of my CPU, depending on how much Bittorrent traffic I have going, and if I'm copying files across LANs, so I'm not especially worried about performance, but memory usage is a big concern.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Monarch over 15 years ago in reply to BarryG

Well my virtual system takes 68% of 1 GByte of vRAM (HTTP AV active). Enabling HTTP AV takes approx. 10-12% for no reason (AV engine should be loaded already through SMTP/FTP/POP3 AV, at least to my understanding)?

Regards,
Bastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to BarryG

I acutally notice my own ASG running quite lean, with over now 8600 patterns (up first by an addition of around 1300 more rules, and now another 300).

The mem usage is currently sitting at just over 300MB, with IPS, Web, VPNs, and other things running.

Hi Angelo,
One thing I've noticed regarding memory usage is that the accounting page under reporting can use a LOT of memory... I've seen memory usage grow to over 1GB (from a baseline of 350MB or less, according to 'free') when trying to view that page.
I've posted about it previously at
https://community.sophos.com/products/unified-threat-management/astaroorg/f/53/t/32305

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 15 years ago in reply to BarryG

As all Astaro appliances with Dual Core CPU's have 2gb+ of memory, please let us know if you see high ram usages on lower memory systems with true dual cores. (AFAIK hyper threading doesn't cause multi-instance spawns, but i will check this).

Hi Angelo,
I just installed 7.460 on my single-core Atom system, and I've now got 2 snort processes running, consuming lots of RAM.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BuBU over 15 years ago in reply to BarryG

Hi Angelo,
I just installed 7.460 on my single-core Atom system, and I've now got 2 snort processes running, consuming lots of RAM.

Thanks,
Barry

single-core but with hyperthreading active ? if yes I think this is normal to have 2 snort processes as they did improved it for SMP systems...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 15 years ago in reply to BuBU

Astaro Beta Report
--------------------------------
Version: 7.460
Type: BUG
State: FIXED
Reporter: Billybob
Contributor: 
MantisID: 10797
--------------------------------

0 ee-tra over 14 years ago in reply to Astaro Beta Bot

The number of snort instances can be reduced to reduce memory usage.
The option is not offered via webadmin, but is adjustable via confd-client.

$ cc

MAIN- > ips -> num_instances

You can set the value with '=1' to have only one instance.
0 is used for auto selection.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 14 years ago in reply to ee-tra

Excellent!

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Billybob over 14 years ago in reply to ee-tra

The number of snort instances can be reduced to reduce memory usage.

Hey finally some inside knowledge... I wish there was some kind of reference manual for hidden stuff like this.
Thanks for sharing.
- confdaemon.JPG
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel