[Snort-users] Snort for Windows Memory Climbing
This is a discussion on [Snort-users] Snort for Windows Memory Climbing within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_0362_01C44BB6.CE11F170 Content-Type: text/plain; charset="iso-8859-1&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-06-2004
|
|||
|
|||
[Snort-users] Snort for Windows Memory Climbing
This is a multi-part message in MIME format.
------=_NextPart_000_0362_01C44BB6.CE11F170 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings, I've been working on a distributed IDS project using Snort (Windows = compile), and I came across a bit of a snag. Although I don't know = technically how serious this is, e.g., I'm not calling this is a denial = or service or anything since I couldn't reproduce any crashing or = whatnot, so I thought maybe the problem was in my approach but not in = Snort. First, the command line arguments I'm using are: snort -l /assigned/tmp/ -c /snort/etc/snort.conf -N -q -A console -v Verbose output, dumping all information to the console, logging = disabled. The point of the dump is to keep as little data as possible = from touching the drives until they are processed by my wrapper. That = way stuff like portscans, DDoS and general events that happen hundreds = of thousands of times can be simplified before writing and IPS = activities can be activated after an event gets "reclassified" to a = higher level. So, in short: dump to screen output -> captured by buffered reader -> = processed -> kept in memory for awhile -> dumped periodically. What is surprising me, however, is that Snort is the application that's = significantly growing in memory use. It started off using about 16 megs = of memory, and eventually grew to 44 megs before it started using swap. = What I'm doing is fairly simple -- running nmap against the host over = and over and over with the following option: nmap -p 1-65534 192.168.0.100 Also, there's a constant steam of "Malformed UDP packets" that come = across the net due to a cheap broadband router I've got installed -- = about 1 generated per second (although they come across as being = generated 5 every 5 seconds in a lump.) It took about 350,000 alerts to make it reach this level, but I'm just = wondering if there's something I can do to make Snort flush or garbage = collect, or not use as much memory or if this is, indeed, a memory leak = somewhere in the system. Also, and might as well ask, if this is = standard behavior for Snort to grow in size as its being used intensely. Take care, Eric ------=_NextPart_000_0362_01C44BB6.CE11F170 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I've been working on a distributed IDS = project=20 using Snort (Windows compile), and I came across a bit of a=20 snag. Although I don't know technically how serious this is, e.g., = I'm not=20 calling this is a denial or service or anything since I couldn't = reproduce any=20 crashing or whatnot, so I thought maybe the problem was in my approach = but not=20 in Snort.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>First, the command line arguments I'm = using=20 are:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>snort -l /assigned/tmp/ -c = /snort/etc/snort.conf -N=20 -q -A console -v</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Verbose output, dumping all information = to the=20 console, logging disabled. The point of the dump is to keep as=20 little data as possible from touching the drives until they are = processed=20 by my wrapper. That way stuff like portscans, DDoS and general = events that=20 happen hundreds of thousands of times can be simplified before writing = and IPS=20 activities can be activated after an event gets "reclassified" to a = higher=20 level.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>So, in short: dump to screen output=20 -> captured by buffered reader -> processed -> kept = in memory=20 for awhile -> dumped periodically.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>What is surprising me, however, is that = Snort is=20 the application that's significantly growing in memory use. It = started off=20 using about 16 megs of memory, and eventually grew to 44 megs before it = started=20 using swap. What I'm doing is fairly simple -- running nmap = against the=20 host over and over and over with the following option:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>nmap -p 1-65534 = 192.168.0.100</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Also, there's a constant steam of = "Malformed UDP=20 packets" that come across the net due to a cheap broadband router I've = got=20 installed -- about 1 generated per second (although they come across as = being=20 generated 5 every 5 seconds in a lump.)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>It took about 350,000 alerts to make it = reach this=20 level, but I'm just wondering if there's something I can do to make = Snort flush=20 or garbage collect, or not use as much memory or if this is, = indeed, a=20 memory leak somewhere in the system. Also, and might as well ask, = if this=20 is standard behavior for Snort to grow in size as its being used=20 intensely.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Take care,</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Eric</FONT></DIV></BODY></HTML> ------=_NextPart_000_0362_01C44BB6.CE11F170-- ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
