Selasa, 05 September 2006

Snort 2.6.0 High Memory Usage on FreeBSD

I've been working with Snort 2.6.0 on FreeBSD.

When you look at the snort.conf you'll see a bunch of rules commented out.


# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules

When you start Snort you'll see it uses much more memory compared to earlier versions.

654 root 1 -58 0 248M 247M bpf 0 0:01 3.30% snort

If this is too much, and you are willing to sacrifice Snort performance, you can enable the following in snort.conf:

config detection: search-method lowmem

This results in less memory usage.

656 root 1 -58 0 39800K 39128K bpf 0 0:01 0.00% snort

With this option enabled you can even uncomment all rules.

661 root 1 -58 0 59224K 58580K bpf 0 0:01 1.95% snort

What if you want the best performance and all rules? Well, on FreeBSD you are going to encounter a 512 MB default RAM limitation that will prevent Snort from running.
 
# limit
cputime unlimited
filesize unlimited
datasize 524288 kbytes
stacksize 65536 kbytes
coredumpsize unlimited
memoryuse unlimited
vmemoryuse unlimited
descriptors 11095
memorylocked unlimited
maxproc 5547
sbsize unlimited

You can change this by making the following entries in /boot/loader.conf:

kern.dfldsiz="1G" # Set the initial data size limit
kern.maxdsiz="1G" # Set the max data size

Reboot when done. Here is the result.

# limit
cputime unlimited
filesize unlimited
datasize 1048576 kbytes
stacksize 65536 kbytes
coredumpsize unlimited
memoryuse unlimited
vmemoryuse unlimited
descriptors 11095
memorylocked unlimited
maxproc 5547
sbsize unlimited


Now you can run Snort with all rules and best performance, and see it occupies over 900 MB.

645 root 1 -58 0 925M 926M bpf 0 0:04 0.00% snort

I have not tested Snort to see the effect of various options, although I prefer to run as many rule sets as makes sense for my environment. Note I did not add Bleeding or Community rule sets for this example.

0 komentar:

Posting Komentar