Today, I needed to upgrade my snort 2.4 install to 2.6. I heard that it’s heavy on the memory usage.. so I wanted to tread softly here.
After doing the initial install, I noticed that snort continually complained about preprocessors (ie: ftp_telnet, frag2, smtp, dcerpc and dns). Not sure why it’s not wanting these. I’ll need to do some research to make sure I’m not missing USE flags, etc. After that it then gave me the following on start up:
ParseFlowArgs: Invalid token noalerts
This was related to a bleeding rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB phpMyAdmin Suspicious Activity"; flow:to_server,established; content:"POST"; depth:4; nocase; uricontent:"/grab_globals.lib.php"; flowbits:set,post.phpmyadmin.grab_globals; flowbits:noalerts; classtype: web-application-activity; sid:2002408; rev:3;)
Today, I needed to upgrade my snort 2.4 install to 2.6. I heard that it’s heavy on the memory usage.. so I wanted to tread softly here.
After doing the initial install, I noticed that snort continually complained about preprocessors (ie: ftp_telnet, frag2, smtp, dcerpc and dns). Not sure why it’s not wanting these. I’ll need to do some research to make sure I’m not missing USE flags, etc. After that it then gave me the following on start up:
ParseFlowArgs: Invalid token noalerts
This was related to a bleeding rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB phpMyAdmin Suspicious Activity"; flow:to_server,established; content:"POST"; depth:4; nocase; uricontent:"/grab_globals.lib.php"; flowbits:set,post.phpmyadmin.grab_globals; flowbits:noalerts; classtype: web-application-activity; sid:2002408; rev:3;)
I went ahead and disabled this rule, now it started. I wanted to check the memory usage with the new snort, but it died. Checking the logs again, I see there were problems with the database and this version of snort.
FATAL ERROR: database: The underlying database seems to be running an older version of the DB schema (current version=106, required minimum version= 107). If you have an existing database with events logged by a previous version of snort, this database must first be upgraded to the latest schema (see the snort-users mailing list archive or DB plugin documention for details). If migrating old data is not desired, merely create a new instance of the snort database using the appropriate DB creation script (e.g. create_mysql, create_postgresql, create_oracle, create_mssql) located in the contrib\ directory. See the database documentation for cursory details (doc/README.database). and the URL to the most recent database plugin documentation.
Jan 28 16:18:03 comp device eth1 left promiscuous mode
I went ahead and cleared the snort tables on my mysql server and ran the schema at:
/usr/share/doc/snort-2.6.1.2/schemas/create_mysql.gz
After the new schema was loaded, snort stayed up, and BASE was showing alerts fine. Now I wanted to see what the memory consumption was all about.
Before I did anything, I took a look at snort-2.4’s memory usage:
snort 15 0 79660 73m 3712 S 0.0 30.3 5:06.79 snort
That’s 30.3% mem consumption. Was more than I thought it was consuming, but it’s on a box doing nothing else but firewall and routing, so I was fine with that. Doing a `top` and sorting by memory, 2.6 show this:
snort 16 0 253m 192m 3344 S 0.0 79.7 0:12.48 snort
Holy cow! 79.7% memory usage. Okay, so the word on the street is correct, it burns through the memory. My friend hooked me up with a config option used to help with this. This is option is:
config detection: search-method lowmem
Just put that somewhere torwards the top of your snort.conf. Restarting snort and running top again shows the following:
snort 15 0 77568 36m 3340 S 0.0 15.0 0:00.43 snort
Now, that’s more like it. 15.0% memory usage. That’s half of what it was running when I was using 2.4!
I’m still watching this upgrade to make sure things aren’t broken, etc. As stated above, I’m concerned about the preprocessors, so I’ll be sure to report any findings.
Thanks!