| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 5 Shared Object Rules Up: 4 Rules and Alerts Previous: 4.32 What do the
4.33 I upgraded to Snort 2.6 and it's using a lot of memory, what's up with that?
This is due to the detection method used by Snort's main rules detection engine. An explanation from Snort's Team Leader says it all:
In 2.6.0 we use the ac method, it is the fastest, but does consume more memory and takes some initial resources to build the DFA it uses. The acs/ac-banded/and ac-sparsebands/mwm/lowmem methods each use less memory, than the ac or ac-std methods. However, we do not recommend mwm as it poses some DOS opportunities with repeated patterns. The lowmem method is about 20% slower than the faster methods, but uses very little memory and very little initial resources. Of couse you can also revert to the ac-std method that has been in use since 2.0 as well. It's startup is about 3x faster than the other ac methods. Memory usage most to least is: ac-std ac ac-banded ac-sparsebands mwm acs lowmem Startup processing most to least is most ----- ac ac-banded ac-sparsebands acs moderate --------- ac-std very little --------- mwm lowmem
Nigel Houghton 2006-10-02
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |