Project

General

Profile

Actions

Bug #15048

open

Snort large memory consumption when updating

Added by Ricardo ot about 1 year ago. Updated 10 months ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.1
Affected Plus Version:
Affected Architecture:
amd64

Description

Snort since the last updates uses a lot of memory when updating and it has a big impact. Can this be improved?

Thanks,

I have these configurations active for 2 interfaces:
Resolve Flowbits. checked.
Use IPS Policy. Checked.
IPS Policy Selection. Connectivity.
All the rulesets (Categories). Checked all

I already changed the PfBlokerng configuration to use "Unbound python mode" and changed the time so that the update is not done at the same time. This has improved PfblockerNg's memory usage.

System log Logs:

Nov 29 00:48:16 php 46952 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Nov 29 00:45:00 php 46952 [pfBlockerNG] Starting cron process.
Nov 29 00:25:57 php 85398 [Snort] The Rules update has finished.
Nov 29 00:25:57 php 85398 [Snort] Snort has restarted on WANONT with your new set of rules...
Nov 29 00:25:45 php 85398 [Snort] Snort START for WANONT...
Nov 29 00:25:44 kernel pid 31736 (snort), jid 0, uid 0: exited on signal 11 (core dumped)
Nov 29 00:25:44 snort 31736 * * * Caught Term-Signal
Nov 29 00:25:43 php 85398 [Snort] Snort STOP for WANONT...
Nov 29 00:25:42 php 85398 [Snort] Building new sid-msg.map file for WANONT...
Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...
Nov 29 00:25:42 php 85398 [Snort] Enabling any flowbit-required rules for: WANONT...
Nov 29 00:25:41 php 85398 [Snort] Updating rules configuration for: WANONT ...
Nov 29 00:25:41 php 85398 [Snort] Snort has restarted on LAN with your new set of rules...
Nov 29 00:25:29 kernel pid 29090 (snort), jid 0, uid 0: exited on signal 11 (core dumped)
Nov 29 00:25:29 php 85398 [Snort] Snort START for LAN...
Nov 29 00:25:28 snort 29090 *** Caught Term-Signal
Nov 29 00:25:27 php 85398 [Snort] Snort STOP for LAN...
Nov 29 00:25:27 php 85398 [Snort] Building new sid-msg.map file for LAN...
Nov 29 00:25:27 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...
Nov 29 00:25:26 php 85398 [Snort] Enabling any flowbit-required rules for: LAN...
Nov 29 00:25:26 php 85398 [Snort] Updating rules configuration for: LAN ...
Nov 29 00:25:25 php 85398 [Snort] Building new sid-msg.map file for WAN...
Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...
Nov 29 00:25:25 php 85398 [Snort] Enabling any flowbit-required rules for: WAN...
Nov 29 00:25:24 php 85398 [Snort] Updating rules configuration for: WAN ...
Nov 29 00:25:24 php 85398 [Snort] Removed 49 obsoleted rules category files.
Nov 29 00:25:24 php 85398 [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules were updated...
Nov 29 00:25:17 php 85398 [Snort] Feodo Tracker Botnet C2 IP rules file update downloaded successfully.
Nov 29 00:25:17 php 85398 [Snort] Emerging Threats Open rules file update downloaded successfully
Nov 29 00:25:15 php 85398 [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
Nov 29 00:25:15 php 85398 [Snort] Snort GPLv2 Community Rules file update downloaded successfully
Nov 29 00:25:13 php 85398 [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
Nov 29 00:25:13 php 85398 [Snort] Snort Subscriber rules file update downloaded successfully
Nov 29 00:25:04 php 85398 [Snort] There is a new set of Snort Subscriber rules posted. Downloading snortrules-snapshot-29200.tar.gz...


Files

Actions #1

Updated by Jim Pingle about 1 year ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Package System to Snort
  • Release Notes deleted (Default)
Actions #2

Updated by Bill Meeks 10 months ago

You state "Snort since the last updates uses a lot of memory when updating..." . What updates specifically? Updates to the Snort package or updates to pfSense itself?

What hardware platform are you using and how much RAM is installed?

Nothing has materially changed in the Snort PHP or binary code in quite some time. Snort by its nature is a memory hog. This is especially true when updating the rules as two complete copies of the rules for an interface can be in memory at the same time as the swap is made. You state you have Snort running on two interfaces, so that will compound the issue.

Additionally, I see you have both the Snort Subscriber Rules and the Snort GPLv2 Community Rules enabled. You do not need the GPLv2 Community Rules when you have an active Snort Subscriber Rules subcription. The dowloaded Subscriber Rules contain all the relevant GPLv2 Community Rules already, so no need to have both enabled.

Actions

Also available in: Atom PDF