Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  Retired» 1.2.3-PRERELEASE-TESTING snapshots - RETIRED» Snort eating up swap
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Snort eating up swap  (Read 1445 times)
0 Members and 1 Guest are viewing this topic.
iggdawg
Newbie
*
Offline Offline

Posts: 6


View Profile
« on: May 18, 2009, 11:53:28 am »
I have pfsense 1.2.3 running on a soekris net5501.  I've been having issues trying to get snort to work.  I know the hardware is fine, I ran snort under OpenBSD, running it on the LAN and WAN interfaces at once with all rules active.  It worked great, never complained much.  The only pain was filtering false positives =P.

Under pfsense when I try to run it, it slowly eats up all my memory, then all my swap, finally causing snort to exit out.  Is there some fundamental setting I'm missing?  I'm running it more or less default on the WAN interface only, with about half the rules checked.  It takes a while to exhaust memory and swap, but eventually does it.  I have 512 megs of ram on the system, and 2 gigs of swap space.
Logged
Cry Havok
Global Moderator
Hero Member
*****
Offline Offline

Posts: 2772


Backup: n. What you should have done yesterday.


View Profile
« Reply #1 on: May 18, 2009, 12:29:49 pm »
What version of snort, what configuration, what rules?  When you say "all rules" are you referring to the stock rules, what?
Logged
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.
fastcon68
Sr. Member
****
Offline Offline

Posts: 593



View Profile
« Reply #2 on: May 18, 2009, 08:32:44 pm »
I was just looking and and I am using 59% of 10GB of disk space that I have allocated to Pf-Sense.  I thought that that was interesting based on that the post.

I have the following services and have about 5 external rules and 30 IPSEC rules:
AutoConfigBackup  Services  1.15
Avahi  Network Management  0.6.25
Dashboard  System  0.7.6.2
HAVP antivirus  Network Management  0.88_05
Notes  Status  0.2.4
nmap  Security  4.76
phpSysInfo  System  2.5.4
vnstat  Network Management  1.6.3


RC
Logged
Cry Havok
Global Moderator
Hero Member
*****
Offline Offline

Posts: 2772


Backup: n. What you should have done yesterday.


View Profile
« Reply #3 on: May 19, 2009, 01:05:04 am »
Ok, the firewall rules have nothing to do with Snort rules.  What Snort rules do you have enabled.
Logged
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.
ColdFusion
Full Member
***
Offline Offline

Posts: 168


View Profile
« Reply #4 on: May 19, 2009, 05:34:43 am »
512 Ram is cutting it close plus you're running other services as well. What is your performance setting in Snort?? ac-bnfa works the best. Low mem consumption, faster loading, and it works. I have 1 Pf box with 1 gig ram and Snort,Squid, Squidguard,havp,nut running for over 40 days with just 56-60% ram used and swap never used. I only have about 7-8 rule sets enabled in Snort at this time though.
Logged
iggdawg
Newbie
*
Offline Offline

Posts: 6


View Profile
« Reply #5 on: May 21, 2009, 07:31:54 am »
I believe I was running ac-sparsebands.  I switch to ac-bnfa and it resolved the issue.  I think I was running out of RAM.  even using ac-bnfa each instance still eats up a surprising amount of memory.  I suppose I wasn't expecting that since snort used to use a lot less for me under openbsd. 
Logged
ColdFusion
Full Member
***
Offline Offline

Posts: 168


View Profile
« Reply #6 on: May 22, 2009, 06:46:07 am »
Over time it does increase, but then stops at a certain point. I've gone 60+ days with it running ok. The thing is once you update the rules periodically anyway, Snort has to reload the rules and memory will decrease some anyway.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.031 seconds with 19 queries.