The pfSense Store

Author Topic: Snort eating up swap  (Read 1715 times)

0 Members and 1 Guest are viewing this topic.

Offline iggdawg

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Snort eating up swap
« on: May 18, 2009, 11:53:28 am »
I have pfsense 1.2.3 running on a soekris net5501.  I've been having issues trying to get snort to work.  I know the hardware is fine, I ran snort under OpenBSD, running it on the LAN and WAN interfaces at once with all rules active.  It worked great, never complained much.  The only pain was filtering false positives =P.

Under pfsense when I try to run it, it slowly eats up all my memory, then all my swap, finally causing snort to exit out.  Is there some fundamental setting I'm missing?  I'm running it more or less default on the WAN interface only, with about half the rules checked.  It takes a while to exhaust memory and swap, but eventually does it.  I have 512 megs of ram on the system, and 2 gigs of swap space.

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Snort eating up swap
« Reply #1 on: May 18, 2009, 12:29:49 pm »
What version of snort, what configuration, what rules?  When you say "all rules" are you referring to the stock rules, what?
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline fastcon68

  • Sr. Member
  • ****
  • Posts: 593
  • Karma: +0/-0
    • View Profile
Re: Snort eating up swap
« Reply #2 on: May 18, 2009, 08:32:44 pm »
I was just looking and and I am using 59% of 10GB of disk space that I have allocated to Pf-Sense.  I thought that that was interesting based on that the post.

I have the following services and have about 5 external rules and 30 IPSEC rules:
AutoConfigBackup  Services  1.15
Avahi  Network Management  0.6.25
Dashboard  System  0.7.6.2
HAVP antivirus  Network Management  0.88_05
Notes  Status  0.2.4
nmap  Security  4.76
phpSysInfo  System  2.5.4
vnstat  Network Management  1.6.3


RC

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2792
  • Karma: +0/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: Snort eating up swap
« Reply #3 on: May 19, 2009, 01:05:04 am »
Ok, the firewall rules have nothing to do with Snort rules.  What Snort rules do you have enabled.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline ColdFusion

  • Full Member
  • ***
  • Posts: 168
  • Karma: +0/-0
    • View Profile
Re: Snort eating up swap
« Reply #4 on: May 19, 2009, 05:34:43 am »
512 Ram is cutting it close plus you're running other services as well. What is your performance setting in Snort?? ac-bnfa works the best. Low mem consumption, faster loading, and it works. I have 1 Pf box with 1 gig ram and Snort,Squid, Squidguard,havp,nut running for over 40 days with just 56-60% ram used and swap never used. I only have about 7-8 rule sets enabled in Snort at this time though.

Offline iggdawg

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Snort eating up swap
« Reply #5 on: May 21, 2009, 07:31:54 am »
I believe I was running ac-sparsebands.  I switch to ac-bnfa and it resolved the issue.  I think I was running out of RAM.  even using ac-bnfa each instance still eats up a surprising amount of memory.  I suppose I wasn't expecting that since snort used to use a lot less for me under openbsd. 

Offline ColdFusion

  • Full Member
  • ***
  • Posts: 168
  • Karma: +0/-0
    • View Profile
Re: Snort eating up swap
« Reply #6 on: May 22, 2009, 06:46:07 am »
Over time it does increase, but then stops at a certain point. I've gone 60+ days with it running ok. The thing is once you update the rules periodically anyway, Snort has to reload the rules and memory will decrease some anyway.